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Abstract — Strategy Logic (Sl, for short) has been recently 4? 
introduced by Mogavero, Murano, and Vardi as a useful 43 
formalism for reasoning explicitly about strategies, as first- 
order objects, in multi-agent concurrent games. This logic turns 
to be very powerful, subsuming all major previously studied ™ 
modal logics for strategic reasoning, including Atl, Atl*, and 
the like. Unfortunately, due to its expressiveness, Sl has a non-52 
elementarily decidable model-checking problem and a highly 53 
undecidable satisfiability problem, specifically. Si-hard. In 
order to obtain a decidable sublogic, we introduce and study 
here One-Goal Strategy Logic (Sl[1g], for short). This logic 
is a syntactic fragment of Sl, strictly subsuming Atl*, which 
encompasses formulas in prenex normal form having a single 57 
temporal goal at a time, for every strategy quantification of 53 
agents. Sl[1g] is known to have an elementarily decidable 
model-checking problem. Here we prove that, unlike Sl, it has 
the bounded tree-model property and its satisfiability problem ^° 
is decidable in 2ExpTime, thus not harder than the one for ^1 
Atl*. 62 
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I. Introduction 

In open system verification [4], [13], a very prolific area 
of research is the investigation of modal logics for strategic 
ability in the setting of multi-agent games [1], [11], [19]. An 
important contribution in this field has been the development 
of Alternating-Time Temporal Logic (Atl*, for short), intro- 
duced by Alur, Henzinger, and Kupferman [1]. Atl* allows 
reasoning about strategic behavior of agents with temporal 
goals. Formally, it is obtained as a generalization of the well 
know branching-time temporal-logic Ctl* [5] where the 
path quantifiers, there exists "E" and /or all "A", are replaced 
with strategic modalities of the form "((A))" and "[[A]]", 
where A is a set of agents. Strategic modalities over agent 
sets are used to express cooperation and competition among 
them in order to achieve certain goals. In particular, these 
modalities express selective quantifications over those paths 
that are the results of infinite games between a coalition and 
its complement. 

Atl* formulas are interpreted over concurrent game struc- 
tures (Cos, for short) [1], which model interacting processes. 
Given a Cos Q and a set A of agents, the Atl* formula 
((A))-)/) is satisfied at a state s of Q if there is a set of 
strategies for agents in A such that, no matter strategy is 
executed by agents not in A, the resulting outcome of the 
interaction in Q satisfies if) at s. 

Several decision problems have been investigated about 
Atl*; both its model-checking and satisfiability problems 



are decidable in 2ExpTlME [21]. The complexity of the 
latter is just Uke the one for Ctl* [6], [7]. 

Despite its powerful expressiveness, Atl* suffers from 
the strong limitation that strategies are treated only im- 
plicitly through modalities that refer to games between 
competing coalitions. To overcome this problem, Chatterjee, 
Henzinger, and Piterman introduced Strategy Logic (CHP- 
Sl, for short) [2], a logic that treats strategies in two- 
player turn-based games as first-order objects. The explicit 
treatment of strategies in this logic allows the expression of 
many properties not expressible in Atl*. While the model- 
checking problem of CHP-Sl is known to be decidable, 
with a non-elementary upper bound, it is not known if the 
satisfiability problem is decidable [2], [3]. 

While the basic idea exploited in [2] of quantifying 
explicit over strategies is powerful and useful [8], CHP- 
Sl still presents severe limitations. Among the others, it 
needs to be extended to the more general concurrent multi- 
agent setting. Furthermore, CHP-Sl does not allow different 
players to share the same strategy, suggesting that strategies 
have yet to become first-class objects in this logic. 

These considerations led us to introduce and investigate 
a new Strategy Logic, denoted Sl, as a more general frame- 
work than CHP-Sl for explicit reasoning about strategies in 
multi-agent concurrent games [16]. Syntactically, Sl extends 
the linear-time temporal-logic Ltl [20] by means of two 
strategy quantifiers, the existential ((a;)) and the universal 
[[x]], as well as agent binding (a,x), where a is an agent 
and X a variable. Intuitively, these elements can be read as 
"there exists a strategy x ", "for all strategies x ", and "bind 
agent a to the strategy associated with x ", respectively. 

For example, in a Cos Q with agents a, (3, and 7, consider 
the property "a and /3 have a common strategy to avoid a 
failure". This property can be expressed by the Sl formula 
((x))[[y]](a,x)(/?,x)(7,y)(G -^fail). The variable x is used to 
select a strategy for the agents a and [3, while y is used 
to select one for 7 such that their composition, after the 
binding, results in a play where fail is never meet. Further 
examples, motivations, and results can be found in a recent 
technical report [15]. 

The price that one has to pay for the expressiveness of Sl 
is the lack of important model properties and an increased 
complexity of the related decision problems. In particular, 
in [16], we showed that Sl does not have the bounded- 
tree model property and the related satisfiabiUty problem 



is highly undecidable, precisely, SJ-hard. 52 

The contrast between the undecidabihty of the satisfia- 
biUty problem for Sl and the elementary decidability of^^ 
the same problem for Atl*, provides motivation for an 
investigation of decidable fragments of Sl that subsume 
Atl*. In particular, we would like to understand why Sl^^ 
is computationally more difficult than Atl*. 

We introduce here the syntactic fragment One-Goal Strat-^ 
egy Logic (Sl[1g], for short), which encompasses formulas 
in a special prenex normal form having a single temporal 
goal at a time. This means that every temporal formula ip is 
prefixed with a quantification-binding prefix that quantifies 
over a tuple of strategies and bind strategies to all agents. 

In a technical report [15], we showed that Sl[1g] is " 
strictly more expressive that Atl*, yet its model-checking ^ 
problem is 2ExpTime-complete, just like the one for'''' 
Atl*, while the same problem for Sl is non-elementarily 
decidable. Our main result here is that the satisfiabihty ^ 
problem for Sl[1g] is also 2ExpTime-C0MPLETE. Thus,^^ 
in spite of its expressiveness, Sl[1g] has the same computa-''" 
tional properties of Atl*, which suggests that the one-goal 
restriction is the key to the elementary complexity of the 
latter logic too. 

To achieve our main result, we use a fundamental property 
of the semantics of this logic, called elementariness, which 
allows us to simplify reasoning about strategies by reducing '"^ 
it to a set of reasonings about actions. This intrinsic charac-^^ 
teristic of Sl[1g], not shared by Sl, asserts that to choose ™ 
an existential strategy, we do not need to know the entire '■^ 
structure of universally-quantified strategies, as it is the case so 
for Sl, but only their values on the histories of interest. si 
Technically, to formally describe this property, we make use 
of the machinery of dependence map, which is introduced ^ 
to define a Skolemization procedure for Sl, inspired by the 84 
one in first-order logic. ^ 

Using elementariness, we show that Sl[1g] satisfies these 
bounded tree-model property. This allows us to efficiently sy 
make use of a tree automata-theoretic approach [22], [24] 
to solve the satisfiability problem. Given a formula ^p, we sg 
build an alternating co-Bilchi tree automaton [12], [18], m 
whose size is only exponential in the size of (p, accepting 91 
all bounded-branching tree models of the formula. Then, 92 
together with the complexity of automata-nonemptiness 93 
checking, we get that the satisfiability procedure for Sl[1g] 94 
is 2ExpTime. We believe that our proof techniques are of 95 
independent interest and applicable to other logics as well. 96 

The paper is almost self contained; all proofs are reported 97 
in the appendixes. In Appendix A, we recall standard math-98 
ematical notation and some basic definitions that are used 99 
in the paper. Additional details on Sl[1g] can be found imoo 
the technical report [15]. 101 
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II. Preliminaries 

A concurrent game structure (Cgs, for short) [1] is a 
tuple Q = (AP,Ag,Ac, St, A.T, .So), where AP and Ag are 
finite non-empty sets of atomic propositions and agents, Ac 
and St are enumerable non-empty sets of actions and states. 
So G St is a designated initial state, and A : St — > 2^ 
is a labeling function that maps each state to the set of 
atomic propositions true in that state. Let Do = Ac^^ 
be the set of decisions, i.e., functions from Ag to Ac 
representing the choices of an action for each agent. Then, 
T : St X Do — > St is a transition function mapping 
a pair of a state and a decision to a state. If the set 
of actions is finite, i.e., b = |Ac| < w, we say that 
Q is 6-bounded, or simply bounded. If both the sets of 
actions and states are finite, we say that Q is finite. 

A track (resp., path) in a Cgs is a finite (resp., an 
infinite) sequence of states p G St* (resp., tt e St'^) such 
that, for all i G [0, |p| — 1[ (resp., i G N), there exists 
a decision d G Do such that (p)i+i = T((p)i,d) (resp., 
(7r)j+i = T((7r)i, d)). A track p is non-trivial if \p\ > 0, i.e., 
p=ie. Trk C St+ (resp., Pth C St") denotes the set of all 
non-trivial tracks (resp., paths). Moreover, Trk(s) = {p G 
Trk : fst(p) = s} (resp., Pth(s) = {tt G Pth : fst(7r) = s}) 
indicates the subsets of tracks (resp., paths) starting at a state 
s G St. 

A strategy is a partial function f : Trk — ^ Ac that maps 
each non-trivial track in its domain to an action. For a state 
s G St, a strategy f is said s-total if it is defined on all 
tracks starting in s, i.e., dom(f) = Trk(s). Str = Trk — ^ Ac 
(resp., Str(s) ^ Trk(s) — > Ac) denotes the set of all (resp., 
s-total) strategies. For all tracks p G Trk, by (f)p G Str 
we denote the translation of f along p, i.e., the strategy 
with dom((f)p) = {Ist(p) ■ p' : p ■ p' e dom(f)} such that 
(f)p(lst(p) • /) 4 f(p • p'), for all p-p' e dom(f). 

Let Var be a fixed set of variables. An assignment is 
a partial function x ■ Var U Ag ^ Str mapping variables 
and agents in its domain to a strategy. An assignment x is 
complete if it is defined on all agents, i.e., Ag C dom(x). For 
a state s G St, it is said that x is s-total if all strategies x(/) 
are s-total, for I G dom(x). Asg = Var U Ag ^ Str (resp., 
Asg(s) = Var U Ag — ^ Str(s)) denotes the set of all (resp., 
s-total) assignments. Moreover, Asg(X) = X — > Str (resp., 
Asg(X, s) = X — >^ Str(s)) indicates the subset of X-defined 
(resp., s-total) assignments, i.e., (resp., s-total) assignments 
defined on the set X C Var U Ag. For all tracks p G Trk, by 
{X)p S Asg(lst(p)) we denote the translation of x along p, 
i.e., the lst(p)-total assignment with dom((x)p) — dom(x), 
such that (xyO - (x(O)p' for all / G dom(x). For all 
elements I G Var U Ag, by x[^ f] G Asg we denote the 
new assignment defined on dom(x[/ 1-^ f]) — donn(x) U {1} 
that returns f on I and x otherwise, i.e., x[l*^^{l)—^ 
X[l^m')=x{n for all rGdom(x)\{/}. 

A path TT G Pth(s) starting at a state s G St is a play 



1 w.r.t. a complete s-total assignment x € Asg(s) ((x, s)-play, 52 

2 for short) if, for all i G N, it holds that = T((7r)j, d),53 

3 where d(a) = x(a)((7r)<i), for each a G Ag. The partial 54 

4 function play : Asg x St ^ Pth, with dom(play) = {(%, s) :55 

5 Ag C dom(x)Ax € Asg(s)As G St}, returns the (%, s)-play se 

6 play(x, s) S Pth(s), for all (x, s) in its domain. 57 

7 For a state s e St and a complete s-total assignment 58 

8 X G Asg(s), the i-th global translation of (x, s), with i G N, 59 

9 is the pair of a complete assignment and a state (x, s)* — eo 
((x)(7r)<i, Wi), where tt = play(x, s). 61 

11 From now on, we use the name of a CGS as a subscript to 62 

12 extract the components from its tuple-structure. Accordingly, ea 

13 if ^ = (AP, Ag, Ac, St, A, r, sq), we have Acg = Ac, Xg = 

14 A, Sog = So, and so on. Also, we use the same notational 

15 concept to make explicit to which Cgs the sets Do, Trk, 

16 Pth, etc. are related to. Note that, we omit the subscripts 

17 if the structure can be unambiguously individuated from the 

18 context. 

69 

19 III. One-Goal Strategy Logic 

71 

20 In this section, we introduce syntax and semantics of 

21 One-Goal Strategy Logic (Sl[1g], for short), as a syntactic 

22 fragment of Sl, which we also report here for technical 
reasons. For more about Sl[1g], see [15]. 

Sl Syntax: Sl syntactically extends Ltl by means of 75 
two strategy quantifiers, existential {{x)) and universal [[ 

^11 J 76 

and agent binding (a,x), where a is an agent and X IS a 77 
variable. Intuitively, these elements can be read, respectively, 73 
as "there exists a strategy x ", "for all strategies x ", and 79 
"bind agent a to the strategy associated with the variable so 
x". The formal syntax of Sl follows. si 



Definition III.l (Sl Syntax). Sl formulas are built induc- 
tively from the sets of atomic propositions AP, variables 83 
Var, and agents Ag, by using the following grammar, where s4 

34 p G AP, x G Var, and a G Ag.- S5 

35 ::= p I ^ip \ ip A \ (pM \ y^ip \ (p \ (pR(p \ {{x))(p \ 

36 lx]iip\{a,x)ip. 

88 

37 By sub : Sl — > 2^^ we denote the function return- 89 

38 ing the set of subformulas of an Sl formula. For in- 90 

39 stance, with ip = ((x))(q!,x)(F p), we have that 5ub{(p) =91 

40 {(p, (a, x)(F p), (F p), p, t}. By free(Lp) we denote the set of 92 

41 free agents/variables of (p defined as the subset of Ag U Var 93 

42 containing ( i) all the agents for which there is no variable 94 

43 application after the occurrence of a temporal operator and 95 

44 ( ii) all the variables for which there is an application but no 96 

45 quantification. For example, let ip = {{x)){a,x){P,y){F p)97 

46 be the formula on agents Ag = {a, /3,j}. Then, we have 98 

47 free((p) = {7, y}, since 7 is an agent without any application 99 

48 after F p and y has no quantification at all. A formula (p with^oo 

49 out free agents (resp., variables), i.e., with hee{ip) H Ag = 0ioi 

50 (resp., free((p) fl Var = 0), is named agent-closed (resp. ,102 

51 variable-closed). If ip is both agent- and variable-closed, itio3 



is named sentence. The function snt : Sl — )■ 2^'' returns the 
set of subsentences snt((p) = {(j) & sub((^) : free(^) = 0} 
for each Sl formula ip. 

Sl Semantics: As for Atl*, we define the semantics of 
Sl w.r.t. concurrent game structures. For a Cgs G, a state 
s, and an s-total assignment x with free(</?) C dom(x), we 
write ^, X) s H to indicate that the formula ip holds at s 
under the assignment x- The semantics of the Sl formulas 
involving p, A, and V, is defined as usual in Ltl and we 
omit it here (see [15], for the full definition). The seman- 
tics of the remaining part, which involves quantifications, 
bindings, and temporal operators follows. 

Definition III.2 (Sl Semantics). Given a CGS Q, for all 

Sh formulas p, states s G St, and s-total assignments x G 
Asg(s) with free((y9) C dom(x), the relation Q,X^s \= ip is 
inductively defined as follows. 

1) ^) Xi * 1= ((2;))<^ iff there exists an s-total strategy f G 
Str(s) such that Q, xi^ ^ s \= ip; 

2) G,XjS \= [[a;]]<^ iff for all s-total strategies f G Str(s) 
it holds that G ,x[x ^ s \= ip. 

Moreover, if free((^) U {a;} C dom(x) U {a} for an agent 
a G Ag, it holds that: 

3) G,X,s^ {a,x)ip iffG,x[a '-^ x{x)],s |= ip. 
Finally, if x is also complete, it holds that: 

4) G.x,s^y^ipifG,{x,sY^v; 

5) X) ^ 1= 'PiU ^2 if there is an index i G N with k<i 
such that G, (Xj \= ip2 and, for all indexes j G N 
with k< j<i, it holds that G, {x^sY \=ipi; 

6) G,XjS 1= ¥'1 R ¥'2 if for all indexes i G N with k<i, 
it holds that G, (X) ^Y N f2 or there is an index j G N 
with k<j<i such that G, (Xi ^Y l=Vi- 

Intuitively, at Items 1 and 2, respectively, we evaluate the 
existential {{x)) and universal [[x]] quantifiers over strategies, 
by associating them to the variable x. Moreover, at Item 3, 
by means of an agent binding (a,x), we commit the agent 
a to a strategy associated with the variable x. It is evident 
that the Ltl semantics is simply embedded into the Sl one. 

A Cgs ^7 is a model of an Sl sentence ip, denoted by 
G 1= y', iff ^, 0, So t= where is the empty assignment. 
Moreover, ip is satisfiable iff there is a model for it. Given 
two Cgs s Gi, G2 and a sentence p, we say that p is 
invariant under Gi and G2 iff it holds that: Gi \= <p iff 
G2 \= 'P- Finally, given two Sl formulas ip\ and <p2 with 
free(pi) = free(p2), we say that ipi implies ip2, in symbols 
tpi ip2, if, for all Cgss G, states s G St, and free((^i)- 
defined s-total assignments x G Asg(free(<^i), s), it holds 
that if G, Xi * 1= fl then GjXt^ \^ P2- Accordingly, we say 
that ipi is equivalent to (^2, in symbols ipi = ip2, if ipi => ip2 
and ip2 => ip\. 



As an example, consider 
the Sl sentence ip = ((x))[[y]] 
((z))((a,x)(/3,y)(Xp) A 
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(a,y)(/3,z)(Xq)). Note 
that both agents a 
and /9 use the strategy 
associated with y to 
achieve simultaneously the 
Ltl goals X p and X q, 

respectively. A model for Lp is the Cos Q = ({p,q}, 
{a,^},{0, l},{so,si,S2,S3},A,T,so), where A(so) = 0, 
A(si) ^ {p}, A(S2) ^ {p,q}, A(S3) ^ {q}, t(so, 
(0,0)) ^ Si, t(so.(0,1)) ^ S2, r(so,(l,0)) ^ S3, and all 
the remaining transitions go to sq. See the representation 
of Q depicted in Figure 1, in which vertexes are states of 
the game and labels on edges represent decisions of agents 
or sets of them, where the symbol * is used in place of 
every possible action. Clearly, Q \^ iph^ letting, on Sq, the 
variables x to chose action (the goal (Q!,x)(^,y)(X p) is 
satisfied for any choice of y, since we can move from sq to 
either si or S2, both labeled with p) and z to choose action 
1 when y has action and, vice versa, when y has 1 (in 
both cases, the goal (a, y)(/3,z)(X q) is satisfied, since one 
can move from Sq to either S2 or S3, both labeled with q). 

Sl[1g] Syntax: To formalize the syntactic fragment 
Sl[1g] of Sl, we need first to define the concepts of 
quantification and binding prefixes. 

Definition ni.3 (Prefixes). A quantification prefix over a 

set V C Var of variables is a finite word p G {((a^)), [[x]] ^ 
: X e V}'^' of length |V| such that each variable x € V^g 
occurs just once in p. A binding prefix over asetN C Var of 
variables is a finite word b G {(a,a;) : a G Ag Aa; S V}''^^' ^ 
of length |Ag| such that each agent a G Ag occurs just 
once in b. Finally, Qnt(V) C { ((x)) , [[a;]] : x G V}'^' o.nd 
Bnd(V) C {{a,x) : a € Ag A x € V}l^sl denote, re spec- ^ 
tively, the sets of all quantification and binding prefixes over 
variables in V. ^ 

We can now define the syntactic fragment we want to ^ 
analyze. The idea is to force each group of agent bindings, ''^ 
represented by a binding prefix, to be coupled with a^^ 
quantification prefix. 

90 

Definition ni.4 (Sl[1g] Syntax). Sy,\Ig] formulas are built 

inductively from the sets of atomic propositions AP, quantifi-^^ 
cation prefixes Qnt(V), for V C Var, and binding prefixes 
Bnd(Var), by using the following grammar, with p G AP,^ 
P e UvcvarQnt(V), and b G Bnd(Var).- 

95 

ip::=p\^ip\ipAip\ipVip\Xip\ipUip\ipRip \ plxp, ^ 
with p G Qnt(free(b(^)), in the formation rule plxp. 

98 

In the following, for a goal we mean an Sl agent-closed 
formula of the kind \>(p, where if is variable-closed and b G 
Bnd(free(?/')). Moreover, an Sl[1g] sentence is principal 
if it is of the form Lp = p\>ip, where \)tp is a goal and p G101 
Qnt(free(bV')). By psnt((/5) C snt((p) we denote the set ofio2 
all principal subsentences of the Sl[1g] formula if. 103 



As an example, let (pi = pbiipi and p2 = plbiV^i Ab2V'2), 
where p = [[x]]((y))[[z]], bi = (a, x)(/3, y)(7, z), b2 = 
(a,y)(/3,z)(7,y), = G F p, and '02 = G q. Then, it 
is evident that tpi G Sl[1g] but ip2 ^ Sl[1g], since the 
quantification prefix p of the latter does not have in its scope 
a unique goal. 

IV. Strategy Quantifications 

We now define the concept of dependence map. The 
key idea is that every quantification prefix contained in an 
Sl formula can be represented by a suitable choice of a 
dependence map over strategies. Such a result is at the base 
of the definition of the elementariness property and allows 
us to prove that Sl[1g] is elementarily satisfiable, i.e., we 
can simplify a reasoning about strategies by reducing it to 
a set of local reasonings about actions [15]. 

Dependence map: First, we introduce some notation 
regarding quantification prefixes. Let p G Qnt(V) be a 
quantification prefix over a set V(p) = V C Var of 
variables. By ((p)) ^ {a; G V : 3i G [0, |p|[ . {p)i = {{x))} 
and [[pj = V \ ((p)) we denote, respectively, the sets of 
existential and universal variables quantified in p. For two 
variables x,y G V, we say that x precedes y in p, in 
symbols xK^y, if x occurs before y in p. Moreover, by 
Dep(p) ^ {{x,y) G V X V : .T G [[p]],y G ((p)) A x<^,,y} 
we denote the set of dependence pairs, i.e., a dependence 
relation, on which we derive the parameterized version 
Dep(p, y) = {x G V : (x,y) G Dep(p)} containing all 
variables from which y depends. Also, we use p G Qnt(V) 
to indicate the quantification derived from p by dualizing 
each quantifier contained in it, i.e., for all indexes i G [0, 
|p|[, it holds that {p)i = {{x}) iff (p), = [[a;]], with a; G V. 
It is evident that ((p)) = [[pj and [[p]] = ((p)). Finally, we 
define the notion of valuation of variables over a generic set 
D as a partial function v : Var ^ D mapping every variable 
in its domain to an element in D. By ValD(V) = V — > D 
we denote the set of all valuation functions over D defined 
on V C Var. 

We now give the semantics for quantification prefixes via 
the following definition of dependence map. 

Definition IV.l (Dependence Maps). Let p G Qnt(V) be 
a quantification prefix over a set of variables V C Var, 
and D a set Then, a dependence map for p over D is a 
function 9 : ValD([[p]]) — ^ ValD(V) satisfying the following 
properties: 

1) ^(v) fi^j = V, for all V G Vabdp]]); 

2) 6i(vi)(a:) = 6'(v2)(a;), for all Vi,V2 G Valodp]]) and 

X G ((p)) such that Vi fDep(p,x) =V2 rDep(p,x)- 

DMd(p) denotes the set of all dependence maps for p over 
D. 

Intuitively, Item 1 asserts that 6 takes the same values of 
its argument w.r.t. the universal variables in p and Item 2 
ensures that the value of 6 w.r.t. an existential variable xmp 



does not depend on variables not in Dep(p, x). To get better 52 
insight into this definition, a dependence map 6 for p can be 53 
considered as a set of Skolem functions that, given a value 
for each variable in V that is universally quantified in p,^" 
returns a possible value for all the existential variables in p, 
in a way that is consistent w.r.t. the order of quantifications. 

We now state a fundamental theorem that describes how " 
to eliminate strategy quantifications of an Sl formula via a 
choice of a dependence map over strategies. This procedure, 
proved to be correct by induction on the structure of the 
formula in [15], can be seen as the equivalent of the 
Skolemization in first order logic [10]. 

63 

Theorem IV.l (Sl Strategy Quantification). Let Q be a m 

CGS and (p = ptjj an Sl sentence, where ip is agent-es 
closed and p G Qnt(free(^/')). Then, Q \= (p ijf there 66 
exists a dependence map 9 € DMgtr(s(,)(p) such that ei 
G, 6{x), So \= tp, for all x e Asg([[p]], sq)- es 

69 

Elementary quantifications: We now introduce the 
property of elementariness for a particular class of depen-70 
dence maps. Intuitively, a dependence map over functions 71 
from a set T to a set D is elementary if it can be split into 72 
a set of dependence maps over D, one for each element of 73 
T. This idea allows us to enormously simplify the reasoning 74 
about strategy quantifications, since we can reduce them to 
a set of quantifications over actions, one for each track in ''^ 
their domains. 

Note that sets D and T, as well as U and V used in the " 
following, are generic and in our framework they may refer 
to actions and strategies (D), tracks (T), and variables (U 
and V). We prefer to use abstract names, as the properties 
we describe hold generally. 

To formally develop the above idea, we have first to 
introduce the generic concept of adjoint function. Observe 
that by g : Y ^ X — > Z we denote the operation of flipping 
of a generic function g : X — > Y — > Z. ^ 

86 

Definition IV.2 (Adjoint Functions). Let D, T, U, and V 37 
be four sets, and m : (T ^ D)^ (T D)^ and m -.^ 

T (D^ D^) two functions. Then, rn is the adjoint of 
m if m{t){g{t)){x) = m{g){x){t), for all g G (T ^ D)U 
X & W, and t e T. a, 

Observe that if a function has an adjoint then it is unique. 
Similarly, from an adjoint function it is possible to determine ^ 
the original function unambiguously. Thus, it is estabhshed ^ 
a one-to-one correspondence between functions admitting an 
adjoint and the adjoint itself. 

The formal meaning of the elementariness of a depen-'' 

dence map over generic functions follows. ^ 

99 

Definition rV.3 (Elementary Dependence Maps). Let p Gioo 
Qnt(V) be a quantification prefix over a set V C Vanoi 
of variables, D and T two sets, and G DMt->d(p) a^a2 
dependence map for p over T — >^ D. Then, is elementaryios 



if it admits an adjoint function. EDMt^d(p) denotes the 
set of all elementary dependence maps for p over T — >^ D. 

We now introduce an important variant of Sl[1g] seman- 
tics based on the concept of elementary dependence map 
over strategies. We refer to the related satisfiability concept 
as elementary satisfiability, in symbols ^e- Intuitively, such 
a semantics has the peculiarity that a strategy, used in 
an existential quantification in order to satisfy a formula, 
it is only chosen between those that are elementary w.r.t. 
the universal quantifications. The new semantics of Sl[1g] 
formulas involving atomic propositions. Boolean connec- 
tives, temporal operators, and agent bindings is defined 
as for the classic one, where the modeling relation \= is 
substituted with ^e, and we omit to report it here. In the 
following definition, we only describe the part concerning 
the quantification prefixes. Observe that by C,\, : Kg ^ Var, 
for b G Bnd(Var), we denote the function associating to 
each agent the variable of its binding in b. 

Definition rV.4 (Sl[1g] Elementary Semantics). Let Q be a 
CGS, s G St one of its states, and p\>ip an Sl[1g] principal 
sentence. Then Q,0,s \=e pbi/' iff there is an elementary 

dependence map 9 G EDMgtr(s) (p) for p over Str(s) such 
that g, 9{x) o C„s I^E ip, for all x e Asg([[p]], s). 

It is immediate to see a strong similarity between the 
statement of Theorem IV.l of Sl strategy quantification and 
the previous definition. The only crucial difference resides 
in the choice of the kind of dependence map. Moreover, 
observe that, differently from the classic semantics, the 
quantifications in a prefix are not treated individually but 
as an atomic block. This is due to the necessity of having 
a strict correlation between the point-wise structure of the 
quantified strategies. 

Finally, we state the following fundamental theorem 
which is a key step in the proof of the bounded model 
property and decidability of the satisfiability for Sl[1g], 
whose correctness has been proved in [15]. The idea behind 
the proof of the elementariness property resides in the strong 
similarity between the statement of Theorem IV.l of Sl 
strategy quantification and the definition of the winning 
condition in a classic two-player game. Indeed, on one 
hand, we say that a sentence is satisfiable iff "there exists a 
dependence map such that, for all all assignments, it holds 
that On the other hand, we say that the first player 
wins a game iff "there exists a strategy for him such that, 
for all strategies of the other player, it holds that The 
gap between these two formulations is solved in Sl[1g] by 
using the concept of elementary quantification. So, we build 
a two-player turn-based game in which the two players are 
viewed one as a dependence map and the other as a valuation, 
both over actions. This construction is a deep technical 
evolution of the proof method used for the dualization of 
alternating automata on infinite objects [17]. Precisely, it 



uses Martin's Determinacy Theorem [14] to prove that, if 53 
there is no dependence map of a given prefix that satisfies 54 
the given property, there is a dependence map of the dual 55 
prefix satisfying its negation. 56 

Theorem rV.2 (Sl[1g] Elementariness). Let Q be a Cgs " 
and an Sl[1g] sentence. Then, Q\=ip iff G\=eV- 

V. Bounded Dependence Maps ^ 

61 

Here we prove a boundedness property for dependence 62 
maps crucial to get, in Section VI, the bounded tree-model 63 
property for Sl[1g], which is a preliminary step towards our ^ 
decidability proof for the logic. 65 

As previously stated, on reasoning about the satisfiability 66 
of an Sl[1g] sentence, one can simplify the process, viae? 
the elementariness property, by splitting a dependence map es 
over strategies in sets of dependence maps over actions. 69 
Consequently, to gain the bounded model property, it is 70 
worth understanding how to build dependence maps over 71 
a predetermined finite set of actions, while preserving the 72 
satisfiability of the sentence of interest. The main difficulty 73 
here resides in the fact that, given an Sl[1g] sentence tp n 
satisfied on an (unbounded) CGS T with tree- shape, the 75 
related verification process may require different subsen-76 
tences, perhaps in contradiction among them, to be checked 77 
on disjoint subtrees of T. So, a correct pruning of T in a 78 
bounded tree-model has to keep the satisfiability of such sub- 79 
sentences separated, by avoiding Ihe collapse of the relative so 
subtrees, which can be ensured via the use of an appropriate si 
number of actions. By means of characterizing properties, on 82 
pairs of quantification and binding prefixes, (i.e., signatures, us 
see Definition V.l), and sets of dependence maps, (i.e., 84 
signature dependences, see Definition V.5), we ensures that 85 
the number of actions is finite. These properties are named ^ 
intersecting (see Definitions V.4 and V.5). Practically, we 
prove that sentences with intersecting signatures share a ^ 
common subtree, independently from the number of actions 
in the tree model (see Corollary V.l). Conversely, sentences 
with non-intersecting signatures, may need different subtrees 
and, consequently, a tree model must have a sufficient big 
number of actions, which we prove to be finite anyway (see 
Theorem V.2). 

Before presenting formally the properties and technique 
described above, we give some intuitive explanation behind ^ 
them. Suppose to have a set of quantification prefixes Q C 
Qnt(V) over a given set of variables V. We ask whether 
there is a relation among the elements of Q that forces a 
set of related dependence maps to intersect their ranges in,^^ 
at least one valuation of variables. For instance, consider^u, 
the prefixes pi ^ [[x]] ((y)) ((z)) and p2 ^ [[zE((yMx]]. Then,„, 
we want to know whether an arbitrary pair of dependence 
maps 61 e DMd(pi) and 62 G DMd(P2) has intersectingioa 
ranges, for a set D. In this case, since y is existentialio4 
quantified in both prefixes, we can build 9\ and 62 inio5 



such a way that they choose different elements of D on 
y, when they do the same choices on the other variables, 
supposed that |D| > 1. Thus, if the prefixes share at least an 
existential variable, it is possible to find related dependence 
maps that are not intersecting. Consider now the prefixes 
Pi = ¥W))M and P2 ^ [[z]][[y]]((x)). Although, in this 
case, each variable is existential quantified at most once, we 
have that x and z mutually depend in the different prefixes, 
so, there is a cyclic dependence that can make two related 
dependence maps not intersecting. Indeed, suppose to have 
D = {0,1}. Then, we can choose Ox e DMd(pi) and 
62 S DMd(p2) such that, for all valuations vi G dom(0i) 
and V2 e dom((?2), it holds that 9x{mi){z) = Vi(a:) and 
^2(v2)(a;) = 1 — V2(2;). Thus, 6\ and 62 do not intersect 
their ranges. Finally, consider a set of prefixes in which 
there is neither a shared existential quantified variable nor a 
cychc dependence, such as the following: pi = [[xj [[yH ((z)) , 
P2 = ((y))[[x]][[z]], and p3 ^ [[y]]((x))[[z]]. We now show that 
an arbitrary choice of dependence maps 9i € DMd(pi), 
02 e DMd(p2). and ^3 e DMd(p3) must have intersecting 
ranges, for every set D. Indeed, since y in p2 does not 
depend from other variables, there is a value rfy G D such 
that, for all V2 G dom(6'2), it holds that 6'2(v2)(y) = dy. 
Now, since x in p3 depends only on y, there is a value 
dx G D such that, for all V3 G dom(03) with V3(y) = dy, 
it holds that 03(v3)(x) = d^. Finally, we can determine 
the value G D of z in pi since x and y are fixed. So, 
for all vi G dom(0i) with Vi(x) = and vi(y) = dy, it 
holds that 6'i(vi)(z) = d^. Thus, the valuation vGValD(V), 
with v(x) = dx, v(y) = dy, and v(z) = dz, is such that 
V e rng(^i)nrng(6'2)nrng(6'3). Note that we run this proce- 
dure since we can find at each step an existential variable that 
depends only on universal variables previously determined. 

In order to formally define the above procedure, we need 
to introduce some preliminary definitions. As first thing, we 
generalize the described construction by taking into account 
not only quantification prefixes but binding prefixes too. This 
is due to the fact that different principal subsentences of 
the specification can share the same quantification prefix 
by having different binding prefixes. Moreover, we need to 
introduce a tool that gives us a way to differentiate the check 
of the satisfiability of a given sentence in different parts of 
the model, since it can use different actions when starts the 
check from different states. For this reason, we introduce the 
concepts of signature and labeled signature. The first is used 
to arrange opportunely prefixes with bindings, represented 
in a more general form through the use of a generic support 
set E, while the second allows us to label signatures, by 
means of a set L, to maintain an information on different 
instances of the same sentence. 

Definition V.l (Signatures). A signature on a set E is a 
pair a = (p, b) G Qnt(V) x V^ of a quantification prefix 
p over V and a surjective fimction b from E to V, for a 



given set of variables V C Var. A labeled signature on E 53 

w.r.t. a set L is a pair {a, I) G (Qnt(V) x V^) x L o/a 54 

signature a onE and a labeling I in L. The sets Sig(E) = 

Uvcvar Qnt(V)xV'^ and LSig(E, L) ^ Sig(E) x L contain,^' 

respectively, all signatures on E and labeled signatures on 
, , ^ 57 
E w.r.t. L. 

58 

We now extend the concepts of existential quantification 59 
and functional dependence from prefixes to signatures. By m 
{{a)) ^ {e G E : b(e) G ((p))}, Dep(a) ^ {(e', e") G E x E 61 
: (b(e'), b(e")) G Dep(p)}, and Go\{a) = {(e', e") G E x E 62 
: b(e') = b(e") e [[p]]}, with a = (p, b) G Sig(E), we 63 
denote the set of existential elements, and the relation sets of 64 
functional dependent and collapsing elements, respectively. 65 
Moreover, for a set S C Sig(E) of signatures, we define 
Col(S) = (Uo-es Co1((t))"'" as the transitive relation set '^^ 
of collapsing elements and ((S)) = Ucres ''^))' 
((S, a)) 4 {e G ((a)) : 3a' G S, e' = (p', b') G ((a')) • (<7 ^ " 
(T'Vb(e) ^ b'(e'))A(e,e') G Col(S)}, as the set of elements 
that are existential in two signatures, either directly or via a 
collapsing chain. Finally, by Dcp'((7) ^ {(e',e") G E x E 
: 3e"' G E . (e',e"') G Col(S) A (e"',e") G Dcp(ct)} we 72 
indicate the relation set of functional dependent elements 73 
connected via a collapsing chain. ^* 

As described above, if a set of prefixes has a cyclic 75 
dependence between variables, we are sure to find a set of 76 
dependence maps, bijectively related to such prefixes, that 77 
do not share any total assignment in their codomains. Here, 78 
we formaUze this concept of dependence by considering 79 
bindings too. In particular, the check of dependences is not so 
done directly on variables, but by means of the associated 
elements of the support set E. Note that, in the case of 

82 

labeled signatures, we do not take into account the labeling 
component, since two instances of the same signature with 
different labeling cannot have a mutual dependent variable. 

To give the formal definition of cycUc dependence, we 
first provide the definition of S-chain. 
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Definition V.2 (S-Chain). An S-chain /or a set of signatures as 

S C Sig(E) on E is a pair (e, ct) G x S*=, with A; G 

ui[, for which the following hold: 90 

1) Ist(e) G [[lst(a)l; 91 

2) {{g)i,{e)i+i)eDep'{{a)i), for alii e[0,k-l[; 92 

3) 7^ (^)j, for all i,j G [0, k[ with i < j. 93 

94 

It is important to observe that, due to Item 3, each S-chain 
cannot have length greater than |S|. 95 
Now we can give the definition of cyclic dependence. x 

97 

Definition V.3 (Cyclic Dependences). A cyclic dependence 

for a set of signatures S C Sig(E) on E is an S-chain 
(e, a) such that (Ist(e), fst(e)) G Dep'(lst(iT)). Moreover,^ 
it is a cycUc dependence for a set of labeled signatures 
P C LSig(E, L) on E w.rt. L if it is a cyclic dependence for 
the set of signatures {a G Sig(E) : 3/ G L . (cr, Z) G P}. The 
sets C(S), C(P) C E+ X S+ contain, respectively, all cyclicua 



dependences for signatures in S and labeled signatures in 
P. 

Observe that |C(S)|<|E|ISI • |S|!, so, |C(P)|<|E||p| • |P|!. 

At this point, we can formally define the property of inter- 
secting for signatures. According to the above description, 
this imphes that dependence maps related to prefixes share 
at least one total variable valuation in their codomains. Thus, 
we say that a set of signatures is intersecting if they do not 
have common existential variables and there is no cyclic 
dependence. Observe that, if there are two different instances 
of the same signature having an existential variable, we can 
still construct a set of dependence maps that do not share 
any valuation, so we have to avoid this possibility too. 

Definition V.4 (Intersecting Signatures). A set ^ C. Sig(E) 
of signatures on E is intersecting ;/ ((S)) = and C(S) = 0. 
A set PCLSig(E,L) of labeled signatures on E w.r.t. L is 
intersecting if the derived set of signatures {a G Sig(E) 
: 31 G L . (cr, ^) G P} is intersecting and, for all 
{a, V), (cr, /") G P, if {{a)) then I' = I". 

Finally, to manage the one-to-one connection between 
signatures and related dependence maps, it is useful to 
introduce the simple concept of signature dependence, which 
associates to every signature a related dependence map. We 
also define, as expected, the concept of intersecting for 
these functions, which intuitively states that the contained 
dependence maps have identical valuations of variables in 
their codomains, once they are composed with the related 
functions on the support set. 

Definition V.5 (Signature Dependences). A signature de- 
pendence for a set of signatures S C Sig(E) on E over 
D is a function w : S — )• U(p,b)esDMD(p) such that, 
for all (p, b) G S, it holds that w((p, b)) G DMd(p). 
A signature dependence for a set of labeled signatures 
P C LSig(E, L) on E w.r.t. L over T) is a function w : 
P —7- U((p_b),z)GpDMD(p) such that, for all ((p, b), I) G P, 
it holds that w{{{p, h),l)) G DMd(p). The sets SigDepD(S) 
anJ LSigDep]3(P) contain, respectively, all signature depen- 
dences for S and labeled signature dependences for P over 
D. A signature dependence w G SigDcp]3(S) is intersecting 
if n(p,b)Gs{v o b : V G rng(w(p, b))} ^ %. A labeled 
signature dependence w G LSigDepj3(P) is intersecting if 
n((p,b),i)Gp{v o b : V G mg(w((p, h),l))} ^ 0. 

As explained above, signatures and signature dependences 
have a strict correlation w.r.t. the concept of intersecting. 
Indeed, the following result holds. The idea here is to find, 
at each step of the construction of the common valuation, a 
variable, called pivot, that does not depend on other variables 
whose value is not already set. This is possible if there are 
no cychc dependences and each variable is existential in at 
most one signature. 

Tlieorem V.l (Intersecting Dependence Maps). Let S C 



Sig(E) be a finite set of intersecting signatures on E. Then, 
for all signature dependences w G SigDepj5(S) for S over 
a set D, it holds that w is intersecting. 

This theorem can be easily lifted to labeled signatures, as 
stated in the following coroUary. 

Corollary V.l (Intersecting Dependence Maps). Let P C 

LSig(E,L) be a finite set of intersecting labeled signatures 
on E w.r.t. L. Then, for all labeled signature dependences 
w e LSigDepj5(P) for P over a set D, it holds that w is 
intersecting. 

Finally, if the set D is sufficiently large, in the case 
of non-intersecting labeled signatures, we can find a sig- 
nature dependence that is non-intersecting too, as reported 
in following theorem. The high-level combinatorial idea 
behind the proof is to assign to each existential variable, 
related to a given element of the support set in a signature, 
a value containing a univocal flag in P x V(P), where 
V(P) = U((pb) OeP^^^-'' representing the signature itself. 
Thus, signatures sharing an existential element surely have 
related dependence maps that cannot share a common val- 
uation. Moreover, for each cyclic dependence, we choose 
a particular element whose value is the inversion of that 
assigned to the element from which it depends, while all 
other elements preserve the related values. In this way, in 
a set of signature having cycUc dependences, there is one 
of them whose associated dependence maps have valuations 
that differ from those in the dependence maps of the other 
signatures, since it is the unique that has an inversion of the 
values. 



Theorem V.l (Non-Intersecting Dependence Maps). Let 

P C LSig(E, L) be a set of labeled signatures on E 
w.r.t. L. Then, there exists a labeled signature dependence 
w e LSigDepD(P)/orP over D = PxV(P)x{0, Ij^^P) such 
that, for all P' C P, it holds that Wfp' G LSigDepD(P') is ^ 
non-intersecting, if P' is non-intersecting. 
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VI. Model Properties 

88 

We now investigate basic model properties of Sl[1g] that 89 
turn out to be important on their own and useful to prove 90 
the decidability of the satisfiability problem. 91 

First, recall that the satisfiability problem about branching- 92 
time logics can be solved via tree automata, once a kind of 93 
bounded tree-model property holds for it. Indeed, by using it, 94 
one can build an automaton accepting all models of formulas, 95 
or their encoding. So, we first introduce the concepts of con- 
current game tree, decision tree, and decision-unwinding and 

97 

then show that Sl[1g] is invariant under decision-unwinding, 
which directly implies that it satisfies a unbounded tree-^ 
model property. Finally, by using the techniques previously 99 
introduced, we further prove that the above property isioo 
actually a bounded tree-model property. 101 



Tree-model property: We now introduce two particular 
kinds of Cgs whose structure is a directed tree. As already 
explained, we do this since the decidabiUty procedure we 
give in the last section of the paper is based on alternating 
tree automata. 

Definition VI.l (Concurrent Game Trees). A concurrent 
game fi-ee (Cgt, for short) is a Cgs T = (AP,Ag,Ac, 
St,A,T, e), where (i) St C A* is a l^-tree for a given 
set A of directions and (ii) if t ■ e G St then there is a 
decision d G Do such that T(t, d) = t- e, for all t G St and 
e G A. Furthermore, T is a decision tree (Dt, for short) if 
(i) St = Do* and (ii) ift-dGSt then T{t, d) = t • d, for all 
t G St and d G Do. 

Intuitively, Cgts are Cgss with a tree-shaped transition rela- 
tion and Dts have, in addition, states uniquely determining 
the history of computation leading to them. 

At this point, we can define a generalization for CGS 
of the classic concept of unwinding of labeled transition 
systems, namely decision-unwinding. Note that, in general 
and differently from Atl*, Sl is not invariant under decision- 
unwinding, as we show later. On the contrary, Sl[1g] 
satisfies such an invariance property. This fact allows us to 
show that this logic has the unbounded tree-model property. 

Definition VI.2 (Decision-Unwinding). Let Q be a CGS. 

Then, the decision-unwinding of Q is the Dt Qdu — (AP, 
Ag, Acg, Dcg*, A, T, s) for which there is a surjective func- 
tion unw : Dcg* — )• Stg such that (i) unw(e) = sog, (ii) 
unw(T(t, d)) = Tg{unw{t),d), and (iii) X{t) = Ag(unw(t)), 

for all t G Dccj* and d G Dcg. 

Note that each CGS Q has a unique associated decision- 
unwinding Qdu- 

By using a standard proof by induction on the structure 
of Sl[1g] formulas, we can show that this logic is invariant 
under decision-unwinding and, consequently, that it satisfies 
the unbounded tree-model property. In particular, for the 
case of the combined quantification and binding prefixes 
pbV', we can use a technique that allows to build, given 
an elementary dependence map 6 satisfying the formula 
on a Cgs Q, an elementary dependence map 9' satisfying 
the same formula over the Dt Qdu, and vice versa. This 
construction is based on a step-by-step transformation of the 
adjoint of a dependence maps into another, which is done 
for each track of the original model. This means that we do 
not actually transform the strategy quantifications but the 
equivalent infinite set of action quantifications. 

Theorem VI.l (Sl[1g] Positive Model Properties). 

1) Sl[1g] is invariant under decision-unwinding; 

2) Sl[1g] has the decision-tree model property. 

Although this result is a generalization of that proved to 
hold for Atl*, it actually represents an important demar- 
cation line between Sl[1g] and Sl. Indeed, as we show 



in the following theorem, Sl does not satisfy neither the 53 
tree-model property nor, consequently, the invariance under 54 
decision-unwinding. 55 

Theorem VI.2 (Sl Negative Model Properties). ^ 

57 

1) Sl does not have the decision-tree model property; 

2) Sl Is not Invariant under decision-unwinding. 

Bounded tree-model property: We now have all tools 
we need to prove the bounded tree-model property for^° 
Sl[1g], which we recall Sl does not satisfy [16]. Actually, ''^ 
we prove here a stronger property, which we name bounded 
disjoint satisfiability. ^ 
To this aim, we first introduce the new concept regarding " 
the satisfiability of different instances of the same subsen-^^ 
tence of the original specification, which intuitively states ^ 
that these instances can be checked on disjoint subtrees e? 
of the tree model. With more detail, this property asserts ^ 
that, if two instances use part of the same subtree, they^g 
are forced to use the same dependence map as well. This 
intrinsic characteristic of Sl[1g] is fundamental to build a 
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unique automaton that checks the truth of all subsentences, 
by simply merging their respective automata, without using 
a projection operation that eliminates their proper alphabets, 
which otherwise can be in conflict. In this way, we are able 
to avoid an exponential blow-up. A clearer discussion on 
this point is reported later in the paper 



Definition VL3 (Sl[1g] Disjoint Satisfiability). Let T be 
a Cgt, if = p\)ip an Sl[1g] principal sentence, and S = 

{s G St : T, 0, s \= 95}. Then, T satisfies (f disjointly over 
S If there exist two fimctlons head : S DMac(p) and 
body : Trk(e) — > DMac(p) such that, for all s G S and 
X G Asg([[p]], ,s), It holds that T,9(x),s \= bip, where the 
elementary dependence maps 9 G EDMgtr(s) (p) is defined 
as follows: (i) 9{s) = head(s); (ii) 9{p) = body(p' • p), for ^ 
all p E Trk(s) with \p\ > 1, where p' G Trk(£) Is the unique ^ 
track such that p' ■ p E Trk(£). 

t 

In the following theorem, we finally describe the crucial ^ 
step behind our automata-theoretic decidability procedure ^ 
for Sl[1g]. At an high-level, the proof proceeds as fol- 
lows. We start from the satisfiability of the specification ^ 
(fi over a Dt T, whose existence is ensured by Item 2 of 
Theorem VI. 1 of Sl[1g] positive model properties. Then, 
we construct an intermediate Dt 7j, called flagged model, 
which is used to check the satisfiability of all subsentences 
of 9? in a disjoint way. Intuitively, the flagged model adds a 
controller agent, named sharp that decides on which subtree 
a given subsentence has to be verified. Now, by means of 
Theorem IV.2 on the Sl[1g] elementariness, we construct 
the adjoint functions of the dependence maps used to verify s 
the satisfiabihty of the sentences on 7j. Then, by applying^ 
Corollary V. 1 and Theorem V.2 of intersecting and non-i( 
interesting dependence maps, respectively, we transform then 
dependence maps over actions, contained in the ranges ofic 



the adjoint functions, in a bounded version, which preserves 
the satisfiability of the sentences on a bounded pruning 7j' 
of 7j. Finally, we remove the additional agent tl obtaining the 
required bounded Dt T'. Observe that, due to the particular 
construction of the bounded dependence maps, the disjoint 
satisfiabihty is preserved after the ehmination of fl. 

Theorem VI.3 (Sl[1g] Bounded Tree-Model Property). 

Let ip be an Sl[1g] satlsfiable sentence and P = 
{((p, b), (V', i)) G LSig(Ag, Sl x {0, 1}) : pbV' G psnt(^) A 
i G {0,1}} the set of all labeled signatures on Ag w.r.t. 
Sl X {0, 1} for (p. Then, there exists a b-bounded Dt T, 
with 6 = |P| • |V(P)| • 2lC(P)l, such that T h </'• Moreover, 
for all (j) G psnt((p), It holds that T satisfies 4> disjointly 
over the set {s G St : T, 0, s |= (p}. 

VII. Satisfiability Procedure 

We finally solve the satisfiability problem for Sl[1g] and 
show that it is 2ExpTiME-C0MPLETE, as for Atl*. The 
algorithmic procedures is based on an automata-theoretic ap- 
proach, which reduces the decision problem for the logic to 
the emptiness problem of a suitable universal Co-Buchi tree 
automaton (UCT, for short) [9]. From an high-level point of 
view, the automaton construction seems similar to what was 
proposed in literamre for Ctl* [12] and Atl* [21]. However, 
our technique is completely new, since it is based on the 
novel notions of elementariness and disjoint satisfiability. 

Principal sentences: To proceed with the satisfiability 
procedure, we have to introduce a concept of encoding for 
an assigrmient and the labeUng of a Dt. 

Definition VII.l (Assignment-Labeling Encoding). Let 
T be a Dt, t G StT- one of Its states, and x ^ 
Asg7-(V, €) an assignment defined on the set V C Var. A 

(ValAcr(V) X 2^)-labeled Dcr-tree V = (Str, u) Is an 
assignment- labeling encoding /or x on T If u{\st{{p)>i)) = 
ixip), Ar(lst(p))), for all p G Trkr(t). 

Observe that there is a unique assignment-labeling encoding 
for each assignment over a given Dt. 

Now, we prove the existence of a UCT U^^ for each 
Sl[1g] goal \>ij: having no principal subsentences. U^^ 
recognizes all the assignment-labeling encodings T' of an 
a priori given assignment x over a generic Dt T, once the 
goal is satisfied on T under x- Intuitively, we start with a 
Ucw, recognizing all infinite words on the alphabet 2^ that 
satisfy the Ltl formula ^p, obtained by a simple variation 
of the Vardi-Wolper construction [23]. Then, we run it on 
the encoding tree T' by following the directions imposed by 
the assignment in its labeling. 

Lemma VILl (Sl[1g] Goal Automaton). Let \)tp an Sl[1g] 
goal without principal subsentences and Ac a finite set of ac- 
tions. Then, there exists an UCT = (ValAc(free(bV-')) x 
2^, Do, Qi,^, 6\,^, qo\,^, such that, for all Dts T with 
Acf = Ac, states t G Str, (ind assignments x G 



Asg7-(free(bV'), i), it holds that T, X:^ h t'V' ijf T' G 51 the satisfiability problem for Sl[1g]. 
hiU^), where T' is the assignment-labeling encoding for 
X on T. 



52 

53 



Theorem VII.2 (Sl[1g] Satisfiability). The satisfiability 
problem for Sl[1g] is 2ExpTime-C0MPLETE. 



We now introduce a new concept of encoding regarding 
the elementary dependence maps over strategies. 

Definition Vn.2 (Elementary Dependence-LabeUng Encod-> 
ing). Let T be a Dt, t € Stj- one of its states, and . 
9 G EDMstr7-(t)(p) elementary dependence map over > 
strategies for a quantification prefix p e Qnt(V) over the set 
V C Var. A (DMAcr(p) x 2^)-labeled A-tree V = (Str, f 
u) is an elementary dependence-labeling encoding /or 9 on f 
r if u(lst((p)>i)) = {e{p), Ar(lst(p))), for all pG Trkr(t). ^ 

f 

Observe that also in this case there exists a unique ele- 
mentary dependence-model encoding for each elementary^ 
dependence map over strategies. 5 
Finally, in the next lemma, we show how to handle locally ^ 
the strategy quantifications on each state of the model, by f 
simply using a quantification over actions modeled by the ( 
choice of an action dependence map. Intuitively, we guess ; 
in the labeling what is the right part of the dependence map ^ 
over strategies for each node of the tree and then verify that, ' 
for all assigrmients of universal variables, the corresponding 
complete assigrmient satisfies the irmer formula. 

Lemma VII.2 (Sl[1g] Sentence Automaton). Let p\>tp 
be an Sl[1g] principal sentence without principal subsen- 
tences and Ac a finite set of actions. Then, there exists 

an UCT U^^""^ ^ (DMac(p) x 2^, Dc, Qpt,?,, (5^^^^^, gopb^, 
^pbv) ^^''^ ^ ^^^^ ^'^T — States 

t G Str, <wi<^ elementary dependence maps over strategies 
9 e EDMsti.^(t)(p), it holds that T,9{x),t \=e bip, for 
all X G Asgr([[p]],t), iffV G L(ZiAc^), where V is the 
elementary dependence-labeling encoding for 6 on T. 



Full sentences: By summing up all previous results, we | 
are now able to solve the satisfiability problem for the fuU 
Sl[1g] fragment. ' 

To construct the automaton for a given Sl[1g] sentence' 
ip, we first consider all UCT U^'^, for an assigned bounded | 
set Ac, previously described for the principal sentences 

G psnt(<p), in which the inner subsentences are considered | 
as atomic propositions. Then, thanks to the disjoint satis- 
fiability property, we can merge them into a unique UCT | 
that supphes the dependence map labehng of internal 
components U^'^, by using the two functions head and body J 
contained into its labeling. , 

Theorem VII.l (Sl[1g] Automaton). Let if be an Sl[1g] ' 
sentence. Then, there exists an UCT such that if is ' 
satisfiable iffL{U,p) ^0. 

1 

Finally, by a simple calculation of the size of U^p and thei 
complexity of the related emptiness problem, we state in, 
the next theorem the precise computational complexity ofi 
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Appendix A. 

Mathematical Notation 

In this short reference appendix, we report the classical 
mathematical notation and some common definitions that are 
used along the whole work. 

Classic objects: We consider N as the set of natural 
numbers and [m, n] = {k & 'H : m < k < n}, [m,n[ = 
{fc G N : m < fc < n}, ]m, n] = {fc G N : m < fc < 
n}, and ]m,n[ = {A; G N : w < < n} as its interval 
subsets, with m G N and nGN = NU{a;}, where w is the 
numerable infinity, i.e., the least infinite ordinal. Given a set 
X of objects, we denote by |X| G NUjoo} the cardinality 
of X, i.e., the number of its elements, where oo represents a 
more than countable cardinality, and by 2^ = {Y : Y C X} 
the powerset of X, i.e., the set of all its subsets. 

Relations: By i? C X x Y we denote a relation between 
the domain dom(i?) = X and codomain cod(i?) = Y, whose 
range is indicated by rng(i?) = {y G Y : El.x G X. [x, y) G 
R}. We use R-'^ = G Y x X : {x,y) G R} to 

represent the inverse of R itself. Moreover, by S o R, with 
i? C X X Y and 5 C Y x Z, we denote the composition 
of R with S, i.e., the relation S o R = {(x, z) G X x Z 
: 3y G Y. {x,y) £ R A (y.z) G 5"}. We also use R" = 
i?"^^ o R, with n G to indicate the n-iteration of 

i? C X X Y, where Y C X and 7?° ^ {{y, y) : y G Y} is 
the identity on Y. With R+ = [j^^^ R" and R* = R+UR° 
we denote, respectively, the transitive and refiexive-transitive 
closure of R. Finally, for an equivalence relation i? C X x X 
on X, we represent with (X/i?) = {[x]fi. '■ x G X}, where 
[x]r = {x' G X : {x,x') G R}, the quotient set of X w.r.t. 
R, i.e., the set of all related equivalence classes 

Functions: We use the symbol Y^ C 2^^^ to denote 
the set of total functions f from X to Y, i.e., the relations 
f C X X Y such that for all x G dom(f) there is exactly one 
element y G cod(f) such that {x, y) G f. Often, we write f : 
X — >^ Y and f : X — ^ Y to indicate, respectively, f G Y-'^ and 
f G Ux'cx ■ Regarding the latter, note that we consider 
f as a partial function from X to Y, where dom(f) C X 
contains all and only the elements for which f is defined. 
Given a set Z, by f fz = f n (Z x Y) we denote the restriction 
of f to the set XnZ, i.e., the function ffz : XnZ ^ Y such 
that, for all x G dom(f) n Z, it holds that ^\7.{x) = f(a;). 
Moreover, with we indicate a generic empty function, i.e., 
a function with empty domain. Note that X n Z = implies 
f fz = 0- Finally, for two partial functions f , g : X ^ Y, we 
use f y g and f (fil g to represent, respectively, the union and 
intersection of these functions defined as follows: dom(f Itl) 
g) = dom(f) U dom(g) \ {x G dom(f) n dom(g) : f(x) ^ 
g(a;)}, dom(f(nlg) ^ {x G dom(f) ndom(g) : f(.x) = g{x)}, 
(f yg)(a;) = f(x) for x G dom(f Pg) ndom(f), (f yg)(x) = 
g{x) for x G dom(f P g) fl dom(g), and (f fn) g){x) = f(a;) 
for X G dom(f (nl g). 

Words: By X", with n G N, we denote the set of all 
n-tuples of elements from X, by X* = Ura=o the set of 



finite words on the alphabet X, by X+ = X* \ {e} the set 54 
of non-empty words, and by X*^ the set of infinite words, 55 
where, as usual, e S X* is the empty word. The length of a 56 
word w e X°° = X* U X" is represented with \w\ e N. By 57 
{w)i we indicate the i-th letter of the finite word w G X*,58 
with i G [0, |'u;|[. Furthermore, by fst(M;) = {w)o (resp.,59 
\st{w) = (w)|^|-i), we denote Ihe first (resp., last) letter eo 
of w. In addition, by (w)<i (resp., (w)>i), we indicate the 61 
prefix up to (resp., suffix after) the letter of index i of w, 62 
i.e., the finite word built by the first « + 1 (resp., last \w\ — 63 
i - 1) letters (w)o, • • • , {w), (resp., . . . , (w;)|„;|_i).64 

We also set, (w)<o — {w)<:i — (u')<i_i, {iu)>a = w, es 
and {w)>i = (w)>i_i, for i e [1, \w\[ . Mutatis mutandis,66 
the notations of i-th letter, first, prefix, and suffix apply to e/ 
infinite words too. Finally, by pfx(u>i, W2) G X°° we denote ea 
the maximal common prefix of two different words wi,W'2 € es 
X°°, i.e., the finite word w G X* for which there are two 70 
words G X°° such that wx = w-w[, W2 = w-w^, and 71 

fst('u;']^) 7^ fst(u>2). By convention, we set pfx(w, w) = w. 72 
Tree*.- For a set A of objects, called directions, a A- 73 
tree is a set T C A* closed under prefix, i.e., if t • d G T, 74 
with d G A, then also t G T. We say that it is complete if it 75 
holds that t-d' whenever f • d G T, for aU cZ' < d, where 76 
< C A X A is an a priori fixed strict total order on the set 77 
of directions that is clear from the context. Moreover, it is 73 
fiill if T = A* . The elements of T are called nodes and the 79 
empty word e is the root of T. For every f G T and d G A, so 
the node t • d G T is a successor of t in T. The tree is 6-81 
bounded if the maximal number h of its successor nodes is 82 
finite, i.e., h = max^gT |{t • d G T : d G A}| < w. A branch 83 
of the tree is an infinite word w G A'^ such that (w)<i G T, 84 
for aU i G N. For a finite set S of objects, called symbols, 
a H-labeled I^-tree is a quadruple (S, A, T, v), where T is 86 
a A-tree and v : T ^ S is a labeling fimction. Wben As? 
and E are clear from the context, we call (T, v) simply a 8b 
(labeled) tree. 89 

90 

Appendix B. 

91 

Proofs of Section V 

92 

In this appendix, we give the proofs of Theorem V. 1 and 93 
Corollary V.l of intersecting dependence maps and Theo-94 
rem V.2 of non-intersecting dependence maps. In particular, 
to prove the first two results, we need to introduce the 

96 

concept of pivot for a given set of signatures and then show 
some useful related properties. Moreover, for the latter result, 

98 

we define an apposite ad-hoc signature dependence, based 

on a sharp combinatorial construction, in order to maintain 

separated the dependence maps associated to the components^"" 
^ . . ^ . 101 

of a non-mtersectmg set of signatures. 

Pivot: To proceed with the definitions, we have firstio2 

to introduce some additional notation. Let E be a set andios 

(T G Sig(E) a signature. Then, [[cr]] = E \ ((cr)) indicatesio4 

the set of elements in E associated to universal quantifiedios 

variables. Moreover, for an element e G E, we denote byio6 



Dep((T, e) = {e' G E : (e', e) G Dep(a-)} the set of elements 
from which e is functional dependent. Given another element 
e' G E, we say that e precedes e' in a, in symbols eK^e', 
if b(e)<pb(e'), where a = (p, b). Observe that this kind 
of order is, in general, not total, due to the fact that b is 
not necessarily injective. Consequently, by min<^ F, with 
F C E, we denote the set of minimal elements of F w.r.t. 
<cr. Finally, for a given set of signatures S C Sig(E), we 
indicate by [[S]] = PIctgs I^I elements that are 

universal in all signatures of S, by Col(S, e) = {e' G E\ [[S]] 
: (e',e) G Col(S)} the set of existential elements that form 
a collapsing chain with e, and by Col(S, cr) = {e G E : 
3e' G ((cr)) . (e', e) G Col(S)} the set of elements that form 
a collapsing chain with at least one existential element in a. 

Intuitively, a pivot is an element on which we can extend 
a partial assignment that is shared by a set of dependence 
maps related to signatures via a signature dependence, in 
order to find a total assignment by an iterative procedure. 
Let F the domain of a partial function d : E D and e an 
element not yet defined, i.e., e G E \ F. If, on one hand, e is 
existential quantified over a signature a = (p, b) and all the 
elements from which e depends on that signature are in the 
domain F, then the value of e is uniquely determined by the 
related dependence map. So, e is a pivot. If, on the other 
hand, e is universal quantified over all signatures cr G S 
and all elements that form a collapsing chain with e are 
in the domain F, then, also in this case we can define the 
value of e being sure to leave the possibiUty to build a total 
assignment. So, also in this case e is a pivot. For this reason, 
pivot plays a fundamental role in the construction of such 
shared assignments. The existence of a pivot for a given 
finite set of signatures S C Sig(E) w.r.t. a fixed domain F 
of a partial assignment is ensured under the hypothesis that 
there are no cyclic dependences in S. The existence proof 
passes through the development of three lemmas describing 
a simple seeking procedure. 

With the previous description and the examples of Sec- 
tion V in mind, we now formally describe the properties 
that an element of the support set has to satisfy in order 
to be a pivot for a set of signatures w.r.t. an a priori given 
subset of elements. 

Definition B.l (Pivots). Let S C Sig(E) be a set of 
signatures on E and F c E a subset of elements. Then, 
an element e G E is a pivot for S w.r.t. F if e ^ F and 
either one of the following items holds: 

1) e G [[S]] and Col(S,e) C F; 

2) there is a signature cr G S such that e G ((cr)) and 
Dcp(cr, e) C F. 

Intuitively, Item 1 asserts that the pivot is universal quan- 
tified over all signatures and all existential elements that 
form a collapsing chain starting in the pivot itself are 
already defined. On the contrary. Item 2 asserts that the 
pivot is existential quantified and, on the relative signature, 



it depends only on already defined elements. 51 
Before continuing, we provide the auxiliary definition of 52 

minimal S-chain. 53 

54 

Definition B.2 (Minimal S-Chain). Let S C Sig(E) be a set 
of signatures on E and F C E a subset of elements. A pair 
(e, (?) G E*^ X S*^, with fc G [1, ci;[, /.? a minimal S-chain w.r.t.^n 
F if it is an S-chain such that {e)i G minj^^) . (E \ F), for all 57 

i G [0, 58 

59 

In addition to the definition of pivot, we also give the 

60 

formal concept of pivot seeker that is used, m an iterative 
procedure, to find a pivot if this exists. 

62 

Definition B.3 (Pivot Seekers). Let S C Sig(E) be a set ofez 
signatures on E and F c E a subset of elements. Then, a 64 
pair (e ■ e, a ■ a) G E'^ x S'' of sequences of elements and 65 
signatures of length fc G is a pivot seeker for S w.rt.ee 

F if the following hold: 

1) e G min^(E\F); 

2) fst(e) G {{{a}} U Col(S, a)) \F, if k > 1; 

3) (e, a) is a minimal S-chain, if k > 1. 



Intuitively, a pivot seeker is a snapshot of the seeking 
procedure at a certain step. Item 1 ensures that the element 
e we are going to consider as a candidate for pivot depends 
only on the elements defined in F. Item 2 builds a hnk^^ 
between the signature a of the present candidate and the 
head element fst(e) of the previous step, in order to maintain 
information about the dependences that are not yet satisfied. 
Finally, Item 3 is used to ensure that the procedure avoids 
loops by checking pivots on signature already considered. 

As shown through the above mentioned examples, in the 
case of intersecting signatures, we can always find a pivot 
w.r.t. a given set of elements already defined, by means of 
a pivot seeker. 

^ 84 

The following lemma ensures that we can always start the 

85 

iterative procedure over pivot seekers to find a pivot. 

Lemma B.l (Pivot Seeker Existence). Let S C Sig(E) be 
a set of signatures on E and F c E a subset of elements. ^ 
Then, there exists a pivot seeker for S w.rt. F of length 1. 

90 

Proof: Let ct G S be a generic signature and e G E an 
element such that e G minCT(E \ F). Then, it is irmnediate 
to see that the pair (e, <t) G x is a pivot seeker for S 
w.rt. F of length 1, since Item 1 of Definition B.3 of pivot 

94 

seekers is verified by construction and Items 2 and 3 are 

95 

vacuously satisfied. ■ 

96 

Now, suppose to have a pivot seeker of length not greater 
than the size of the support set E and that no pivot is 
already found. Then, in the case of signatures without cycUc ^ 
dependences, we can always continue the iterative procedure, 
by extending the previous pivot seeker of just one further 
element. 



Lemma B.2 (Pivot Seeker Extension). Let S C Sig(E) bew 



a set of signatures on E with C(S) — and F C E a subset 
of elements. Moreover, let {e-e,a -a) & be a pivot 

seeker for S w.r.t. F of length k G Then, if e is not a 

pivot for S w.r.t. F, there exists a pivot seeker for S w.r.t. F 
of length k + 1. 

Proof: By Item 1 of Definition B.3 of pivot seekers, we 
deduce that e ^ F and Dep((T, e) C F. Thus, if e is not a 
pivot for S w.r.t. F, by Definition B.l of pivot, we have that 
e ^ [[S]] or Col(S,e) 2 F and, in both cases, e G [[crj. We 
now distinguish the two cases. 

There exists a signature cr' G S such that e G ((cr'))- 
So, consider an element e' G mincr'(E \ F). We now 
show that the pair of sequences {e! ■ e ■ e^a' ■ a ■ a) G 
gfc+i ^ gfe+i length fc + 1 satisfies Items 1 and 2 
of Definition B.3. The first item is trivially verified by 
construction. Moreover, fst(e-e) = e G ((cr'))\F. Hence, 
the second item holds as well. 
• e G [[S]]. 

We necessarily have that Col(S, e) % F. Thus, there 
is an element e' G E \ ([[S]] U F) such that (e',e) G 
Col(S). Consequently, there exists also a signature a' G 
S such that e' G ((o"')) \ F- consider an element 
e" G mino-/(E \ F). We now show that the pair of 
sequences (e" • e • e, cr' • cr • (?) G E'°+^ x 8*^+^ of length 
/c + 1 satisfies Items 1 and 2 of Definition B.3. The 
first item is trivially verified by construction. Moreover, 
since (e',e) G Col(S), by the definition of Col(S, cr'), 
we have that fst(e • e) = e G Col(S, cr') \ F. Hence, the 
second item holds as well. 
At this point, it only remains to show that Item 3 of 
Definition B.3 holds, i.e., that (e • e, cr • ct) is a minimal 
S-chain w.r.t. F. For /c = 1, we have that Items 2 and 3 of 
Definition V.2 of S-chain are vacuously verified. Moreover, 
since e G \a\, also Item 1 of the previous definition holds. 
Finally, the S-chain is minimal w.rt. F, due to the fact that 
e G min(7(E \ F). Now, suppose that A: > 1. Since (e, (?) is 
already an S-chain, to prove Items 2 and 3 of Definition V.2 
of S-chain, we have only to show that (e,fst(e)) G Dep' (cr) 
and cr / ((?);, for all z G [0, /c — 1[ , respectively. 

By Items 1 and 2 of Definition B.3, we have that e G 
min„(E \ F) and fst(e) G (((a)) U Co1(S,ct)) \ F. So, two 
cases arise. 

. fst(e)G((a))\F. 

Since e G [[cr]] n miner (E \ F), we can deduce that 
(e,fst(e)) G Dep((7) C Dep' (cr). 
. fst(e) G Col(S, cr) \ F. 

By the definition of Col(S, cr), there exists e' G ((cr)) \F 
such that (e',fst(e)) G Col(S). Now, since e G 
\u\ n min<^(E \ F), we can deduce that (e, e') G 
Dcp(cr). Thus, by definition of Dep' (cr), it holds that 
(e,fst(e)) G Dep' (cr). 
Finally, suppose by contradiction that there exists i G [0, 



fc — 1[ such that a = {a)i. Two cases can arise. 
. i = k-2. 

Then, by Item 1 of Definition V.2, we have that (e)j = 
\stie} e [[Ist(a)]] = l{a)il 

. ?: < fc - 2. 

Then, by Item 2 of Definition V.2, we have that 
((e)i, (e)i+i) G Dep'((CT)i). Consequently, {e)i G 

By Definition B.2 of minimal S-chain, since (e, a) is min- 
imal w.r.t. F, it holds that {e)i G min(5=).(E \ F). So, 
(e),; e n min(^).(E \ F). Moreover, by Item 2 of 

Definition B.3, we have that (e)o € (((cr )) UCol(S, a)) \ F = 
U Col(S, (CT)j)) \ F. Thus, by applying a reasoning 
similar to the one used above to prove that (e,fst(e)) G 
Dep' (cr), we obtain that ((e)j, (e)o) G Dep'((a)j) Hence, 
{{e)<i, {a)<i) satisfies Definition V.3 of cyclic dependences. 
So, ((e)<i, (<?)<i) £ C(S) ^ 0, which is a contradiction. ■ 
Finally, if we have run the procedure until all elements 
in E are visited, the first one of the last pivot seeker is 
necessarily a pivot. 

Lemma B.3 (Seeking Termination). Let S C Sig(E) be a 
finite set of signatures on E with C(S) =0 and F C E a 
subset of elements. Moreover, let {e- e,a ■ a) G E'^ x S*' be 
a pivot seeker for S w.r.t. F of length A; = |S| + 1. Then, e 
is a pivot for S w.rt. F. 

Proof: Suppose by contradiction that e is not a pivot for 
S w.r.t. F. Then, by Lemma B.2 of pivot seeker extension, 
there exists a pivot seeker for S w.r.t. F of length k + 1, 
which is impossible due to Item 3 of Definition B.3 of pivot 
seekers, since an S-chain of length k does not exist. ■ 
By appropriately combining the above lemmas, we can 
prove the existence of a pivot for a given set of signatures 
having no cyclic dependences. 

Lemma B.4 (Pivot Existence). Let S C Sig(E) be a finite 

set of signatures on E with C(S) = and F C E a subset 
of elements. Then, there exists a pivot for S w.r.t. F. 

88 

Proof: By Lemma B.l of pivot seeker existence, there 
is a pivot seeker of length 1 for S w.r.t. F, which can be ^ 
extended, by using Lemma B.2 of pivot seeker extension, 
at most |S| < (jj times, due to Lemma B.3 of seeking 
termination, before the reach of a pivot e for S w.r.t. F. 

93 

■ 

94 

Big signature dependences: In order to prove Theo- 
rem V.2, we first introduce big signature map w. 

96 

Defuiition B.4 (Big Signature Dependences). Let P C 97 

LSig(E) be a set of labeled signatures over a set E, and 93 
D = P X V(P) X {0, Then, the big signature 99 
dependence w G SigDepi3(P) for P over D is defined as^^x, 
follow. For all {a, I) = {{p,b),l) G P, and v G Vabdp]]) 
we have that: 

1) w((a, 0)(v)(a:) ^ v(a:), for all x G [[p]]; 



101 
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103 



2) w((a,/))(v)(.T) ^ (((T,/),.r,h), for all x e^{{p)), 
where h G {0, l}'-^^^) is such that, for all (e, ct), the 
following hold: 

a) if a = fst(a) and x = b(fst(e)) then h((e, a)) = 
1 - h'((e,CT)), where W £ {0, is such 
that v(b(lst(e))) = {{a' ,l'),x' ,W), for some 
{a',V) G P andx' G V(P); 

b) if there exists i G such that a = ((T)j 
and X = b((e)i), then h((e, (?)) = h'((e, (?)), 
where h' G {0, 1}<^(P) is such that v(b((e)i)) = 
{{a'J'),x',h'), for some {a', I') G P and x' G 

v(P); 

c) if none of the above cases apply, set h((e, ct)) = 
0. 

Note that Items 2a and 2b are mutually exclusive since, by 
definition of cyclic dependence, each signature occurs 
only once in &. 

It is easy to see that the previous definition is well formed, 
i.e., that w is actually a labeled signature dependence. Indeed 
the following lemma holds. 

Lemma B.5. Let P C LSig(E) be a set of labeled signatures 
over asetEandT) = Fx V(P) x {0, Then the big 
signature dependence w for P over D is a labeled signature 
dependence for P over D. 

Proof: We have to show that w(((p, b), I)) is a depen- 
dence map for p over D, for all (cr, I) G P. 

1) By Item 1 of Definition B.4 it holds that 
w((cr, ?))(v)(a;) = v(x), for all x G [p]] and v G 
Valndp]]), which means w((cr, Z))(v) fj^j = v, that 
means that Item 1 of Definition IV. 1 holds. 

2) For the Item 2 of Definition IV. 1, let 
Vi,V2 G Valodp]]) and x G ((p)) such that 
(vi) = (v2)rDop(p,a;)- We havc to prove that 
w((cr, Z))(vi)(x) = w((cr, Z))(v2)(.t). By definition, 
we have that w((cr, Z))(vi)(a;) = ((cr, /), x, hi) and 
w((cr, ?))(v2)(a;) = ((cr, ;), .t, [12). So, we have only 
to show that hi = h2. To do this, consider a cyclic 
dependence (e, f?) G C(P) for which there exists 
i G [0, |(t|[ such that cr = ((t)^ and x = b((e)j). Then, 
we have that vi(y) = V2(y) = ((cr', /'), y', h') for 
y = b((e)(j_i) fnod |ct|)- Then, we have the following: 

• by Item 2a of Definition B.4, if i = 1 then 
hi((e,?)) = l-hi'((e,a)) = h2((e,a)); 

• by Item 2b of Definition B.4, if i G ]1, then 
hi((e,a)) = hi'((e,a)) = h2((e,(7)). 

On the other side, consider a cyclic dependence 
(e, (t) G C(P) such that cr ^ (rr),- or x ^ b((e)i), 
for all i G [0, . In this case, by Item 2c of Defini- 
tion B.4, we have that hi((e, a)) = = h2((e, a)). 

■ 

Proofs of theorems: We are finally able to show the 
proofs of the above mentioned results. 



Theorem V.l (Intersecting Dependence Maps). Let S C 54 
Sig(E) be a finite set of intersecting signatures on E. Then, 55 
for all signature dependences w e SigDepi3(S) for S overse 
a set D, it holds that w is intersecting. 57 

Proof: By Definition V.5 of signature dependence/^ 
to prove the statement, i.e., that n(p^b)£s{v o b : v e 
rng(w(p, b))} 7^ 0, we show the existence of a function^" 
d e such that, for all signatures a = (p, b) S S, there 
is a valuation Vq. e rng(w((T)) for which d = o b. 

We build d iteratively by means of a succession of partial ^ 
functions dj : E ^ D, with j G [0, |E|], satisfying the" 
following invariants: 

1) dj(e') = dj(e"), forall (e',e") e Col(S)n(dom(dj) x 
dom(dj)); 

2) for all e G dom(dj), there is i G [0,j[ such that e is 
a pivot for S w.r.t. dom(di); 

3) dom(dj) C dom(dj+i), where j < |E|; ^° 

4) dj = dj+i where j < |E|. 

Before continuing, observe that, since ((S)) = 0, for each 
element e € E \ [[SJ, there exists exactly one signature cTg = 
(pe, be) G S such that e G {{(le))- 

As base case, we simply set do = 0. It is immediate to 
see that the invariants are vacuously satisfied. ™ 

Now, consider the iterative case j G [0, |E|[ . By 
Lemma B.4 of pivot existence, there is a pivot ej G E for'^ 
S w.r.t. dom(dj). Remind that Cj ^ dom(dj). At this point, 
two cases can arise. °° 

• e, G [[S]]. 

If there is an element e G dom(dj) such that (e, Cj) G 
Col(S) then set d^+i = dj[ej dj(e)]. By Invariant 1 
at step j, the choice of such an element is irrelevant.^'* 
Otherwise, choose a value c G D, and set dj+i = 
dj[ej c]. In both cases, all invariants at step j + 1^ 
are trivially satisfied by construction. 
. ej ^ IS]]. 

Consider a valuation Vj G ValD([[pe .)]] such that 
v,(be,(e)) = dj{e), for all e G dom(d,) n [[aej.'° 
The existence of such a valuation is ensured by In-^^ 
variant 1 at step j, since dj(e') = dj{e"), for all 
e',e" G dom(dj) with be^(e') = be^.(e"). Now, set 
dj+i = dj[ej H-). w(£7ej(vj)(be^.(ej))]. It remains 
to verify the invariants at step j + 1. Invariants 2, 
3, and 4 are trivially satisfied by construction. For 
Invariant 1, instead, suppose that there exists (cj, e) G 
Col(S) n (dom(dj+i) x dom(dj+i)) with Cj e. By'' 
Invariant 2 at step j, there is i G [0, j[ such that e is ^ 
a pivot for S w.r.t. dom(di), i.e., e = ei. At this point,*™ 
two subcases can arise, the first of which results to be*"* 
impossible. 
- e. G [[S]]. 

By Item 1 of Definition B.l of pivot, it holds thatio4 
Col(S,ei) C dom(di). Moreover, since ej ^ [[Sjjios 
and {ej,ei) G Col(S), it holds that ej G Col(S, ei)m 



Thus, by a repeated application of Invariant 3 from 
step i to step j, we have that ej G dom(dj) C 
dom(dj) ^ Cj, which is a contradiction. 
- ^ [[SI. 

Since ej,ei ^ [[Sj] and {ej,ei) G Col(S), it is 
easy to see that = (^et and be.{ej) = bei(ei). 
Otherwise, we have that ej G ((S)) = 0, which 
is impossible. Hence, it follows that dj+i(ej) = 
w(o-e,)(vj)(be^.(ej)) = w(CTe.)(vj)(be,(e,)). More- 
over, di+i(ei) = w(CTeJ(vi)(be,(ei)). Now, it 
is easy to observe that Dep{pj,bej{ej)) = 
Dep(pj, bei(ei)), from which we derive that 

VirDep(p„be,(e^))=^irDep(p„be,(e,))- At this point, 

by Item 2 of Definition IV. 1 of dependence maps, 
it holds that w(crei)(vj)(bei(ei)) = w((7ej(vj) 
(be,(ej)), so, dj+i{ej) = di+i(ej). Finally, by a 
repeated application of Invariant 4 from step i+1 to 
step j, we obtain that di+i(ei) = dj^i{ei). Hence, 
dj+i(ej) =dj+i(ei). 

By a repeated application of Invariant 3 from step to 
step |E| — 1, we have that d|E| is a total function. So, we 
can now prove that d = d|E| satisfies the statement, i.e., 
d e n(j,,.b)Gs{v o b : V G mg(w(p, b))}. 

For each signature a = (p, b) G S, consider the universal 
valuation v'^ G ValD([[p]]) such that v^(b(e)) = d(e), for 
all e G [[(t]]. The existence of such a valuation is ensured 
by Invariant 1 at step |E|. Moreover, let = w(cr)(v^). It 
remains to prove that d = v^r o b, by showing separately that 
dfM = K ° and d^^^^)) = K ° ^)\{{<r)) hold. 

On one hand, by Item 1 of Definition IV. 1, for each x G 
[[p]], it holds that y'„{x) = w((t)(v^)(x). Thus, for each 
e G [[cr]], we have that v^(b(e)) = w((T)(v^)(b(e)), which 
implies d(e) = v;(b(e)) = w(a)(v;)(b(e)) = v,(b(e)) = 
(v^ o b)(e). So, df[[^]] = K o 

On the other hand, consider an element e G (((t)) . By In- 
variant 2 at step |E|, there is i G [0, |E|[ such that e is a pivot 
for S w.r.t. dom(di). This means that Cj = e and so = a. 
So, by construction, we have that di+i(e) = w((T)(vi)(b(e)). 
Moreover, w(a)(v;)(b(e)) = v<,(b(e)) = (v<, o b)(e). Thus, 
to prove the required statement, we have only to show that 
d(e) = d,+i(e) and w(a)(v,)(b(e)) = w(a)(v;)(b(e)). By a 
repeated apphcation of Invariants 3 and 4 from step i to step 
|E| — 1, we obtain that dom(di) C dom(d), dj = dfdom(di)7 
and di-|_i(e) = d(e). Thus, by definition of and v^, it 
follows that Vi(b(e')) = di(e') = d(e') = v;(b(e')), for all 
e' G dom(dj). At this point, by Item 2 of Definition B.l, 
it holds that Dep(cr, e) C dom(dj), which implies that 
VirDep(p,b(e)) = <iDep{pMe))- ^ence, by Item 2 of Defi- 
nition IV.l, we have that w(cr)(vj)(b(e)) = w((T)(v^)(b(e)). 
So, df = (v<,ob)f ■ 

Corollary V.l (Intersecting Dependence Maps). Let P C 
LSig(E, L) be a finite set of intersecting labeled signatures 
on E w.r.t. L. Then, for all labeled signature dependences 



w G LSigDepj5(P) for P over a set D, it holds that w is 53 
intersecting. 54 

55 

Proof: Consider the set P' = {{a,l) e P ; ((cr)) ^ 0} 

56 

of all labeled signatures in P having at least one existential 
element. Since P is intersecting, by Definition V.4 of inter-" 
secting signatures, we have that, for all (cr. Zi). (cr. I2) E P', it 
holds that h = h- So, let S = {cr G Sig(E) : 3/ e L.(cr, I) e 
P'} be the set of first components of labeled signatures 
in P' and h : S P' the bijective function such that 
h(cr) = (cr, /), for all ct S S, where Z £ L is the unique label 
for which (ct, I) e P' holds. Now, since S is intersecting, by 
Theorem V. 1 of intersecting dependence maps, we have that 
the signature dependence woh e SigDcpj3(S) is intersecting 
as well. Thus, it is immediate to see that w \-pi is also ^ 
intersecting, i.e., by Definition V.5 of signature dependences, 
there exists d G such that d e ^{{p.b)j)e'P'{'^ o b i^s 
V G rng(w((p, b), I))} ^ 0. At this point, consider the la-ef 
beled signatures (cr, I) = ((p, b), /) G P\P'. Since ((a)) = 0,'° 
i.e., ((p)) = 0, we derive that w((cr, /)) G DMd(p) is the^' 
identity dependence map, i.e., it is the identity function on 
ValD(V(p)). Thus, rng(w((cr,0)) = ValD(V(p)). So, we '3 
have that d G r\^^p,b),i)&vb'°^ ■ v e rng(w((p, b), 0)} ^ 
Hence, again by Definition V.5, it holds that w is intersecting. 

■ 76 
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Theorem V.2 (Non-Intersecting Dependence Maps). Let 

P C LSig(E, L) be a set of labeled signatures on E 
w.r.t. L. Then, there exists a labeled signature dependence ^ 
w G LSigDcpD(P) for P over D = P x {0, Ij'^^P' such 
that, for all P' C P, it holds that Wfp/ G LSigDepj3(P') is 
non-intersecting, if P' is non-intersecting. 

Proof: Let S' = {cr G Sig(E) : 31 G L . (cr, /) G P'} be 84 
the set of signatures that occur in some labeled signature in 

p/ 85 

If P' is non-intersecting, we distinguish the following ^ 
three cases. s? 

1) There exist (a, h), (a, h) G P', with a = (p, b), such ^ 
that ((cr)) 7^ and h^h. 

Then, for all valuations v G ValD([[p]]) and vari-^° 
ables X G ((p)), we have that w((ct, /i))(v)(a;) = 
((cr,li),x, hi) ^ ((cr,?2),a;, ha) = ^{{a,h)){^){x). ^ 
Thus, w((cr, /i))(v)(.x) o b / w((cr, Z2))(v)(x) o b, for 
all V G ValD([[p]]). Hence, w is non-intersecting. 

2) ((S')) ^ 0. 

Then, there exist a' = (p', b'), cr" = (p". b") G S',95 
e' G ((ct')), and e" G {{a")) such that a' / a" or 96 
b'(e') ^ b"(e") and, in both cases, (e',e") G Col(S').97 
By contradiction, let d G ^{(p.h).i)eP'{'^ o b : v G 98 
rng(w(((p,b),0))}- Observe that d(e') = d(e"), for 99 
all (e', e") G Col(S'). So, there exist v' G Vabdp'Doo 
and v" G Vabdp"]]) such that v'(b'(e)) = d(e),ioi 
for all e G [[a']], and v"(b"(e)) = d(e), for allio2 
e G [cr"]]. Observe that there are I' ,1" G L such thatios 



{a', I'), {a", I") G P'. So, by the hypothesis of the 
existence of d, we have that w((cr', r))(v')(b'(e')) = 
d(e') = d(e") = w((a",r'))(v")(b"(e")). Now, the 
following cases arise. 

• a a . 

By Definition B.4 of big signature depen- 
dence, it holds that w((f7', /'))(v')(b'(e')) = 

(((T',r),b'(e'),h') ^ ((a",r'),b"(e"),h") = 
w(((t", /"))(v")(b"(e")), which is a contradiction. 

• a = a . 

Then, we have that b'(e') ^ b"{e"). By Defini- 
tion B.4, it holds that w((c7', r))(v')(b'(e')) = 
{{<j',l'),b'{e'),W) ^ {{cj",l"),b"{e"),W') = 
w(((t", r'))(v")(b"(e")). which is a contradiction. 
3) C(S')y^0. 

Then, there exists (e, it) G C(S')- Let n = |a| - 
1. Assume, by contradiction, that there exists d G 
n((p,b),;)eP'{v o b : V G rng(w(((p, b), I)))}. Observe 
again that d(e') = d(e"), for all (e',e") G Col(S'). 
Now, for all (ct); = {pi, hi) G S' there exists 
k G L such that {{a)i,li) G P'. Moreover, let 
Vj G Vabdpj]]) such that Vj(bj(e)) = d(e), for 
all e G [[cTj]]. Then, there exist n + 1 functions 
ho,...,h„ G {0,1}'^(P) such that, for all i G [0,n], 
we have that d((e)i) = w(((a)i, ?i))(vi)(bi((eli)) = 
{{((j)i,li),hi{{e}i),hi). Observe that, by Item 2b 
of Definition B.4, for all i G [0,n[ , it holds 
that hj+i((e, ct)) = hj((e, ct)) and, in particular, 
ho((e, (j)) — h„((e, cr)). However, by Item 2a of 
Definition B.4, it holds that ho((e, a)) = l-h„((e, a)). 
So, ho((e, ?)) 7^ h„((e, ct)), which is a contradiction. 



Appendix C. 
Proofs of Section VI 

In this appendix, we prove Theorem VI. 2 on the negative 
properties for Sl. Successively, we introduce the concept 
of flagged model and flagged formulas. FinaUy, we prove 
Theorem VI.3. 

Theorem VL2 (Sl Negative Model Properties). For Sl, it 

holds that: 

1) it is not invariant under decision-unwinding; 

2) it does not have the decision-tree model property. 

Proof: [Item (1)]. Assume by contradiction that Sl is in- 
variant under decision-unwinding and consider the two CGSs 
Gi ^ (AP, Ag, Ac, St, A, Tg, , So) and ^2 = (AP, Ag, Ac, St, 
A,Tg,,so), with AP = {p}, Ag = {a,p}, Ac = {0,1}, 
St = {so,s;,s'/,s^,s^',s^,sg}, A(S2') = A(S2") = {p} and 
A(s) = 0, for all s G St \ {52', S2"}, and rg^ and rg^ 
given as follow. If by ab we indicate the decision in which 
agent a takes the action a and agent (3 the action b, then 
we set Tgi and rg^ as follow: Tg^{so,0*) = rg^isoj^O) = 



Si', Tg^{so,U) = Tg^{so,*l) 
Tg^{si',0*) = 32, Tg,{si,U) 



Si", re,(si',0*) = 



(si",0*) 



rgAsi",0*) = S2", rg,is,",U) 



s, for 



rg2isi",U) = S3", and Tgjs,**) = Tg,^{s,**) 
all s e {S2', S2", S3', ss"}- Observe that Gidu = GiDU- 

Then, it is evident that Qi \= (p iff 0i_d!7 H iff O2DU t= 
t/? iff Q2 \= 'P- In particular, the property does have to 
hold for the Sl sentence (p = ((x))((yp))((y^p))((a,x)(^,yp) 
(XXp)) A ((a,x)(/3,y^p)(XX -.p)). It is easy to see that 
Gi ^ if, while Q2 \= if. Thus, Sl cannot be invariant under 
decision-unwinding. 

Indeed, each strategy fx of the agent a in ^1 forces 
to reach only one state at a time among sJ,, s'2', S3, and 
S3. Formally, for each strategy € Strgj(so), there is 
a state s e {sj, s'j, S3, S3} such that, for all strategies' 
fy € Str0j(so), it holds that {77)2 = s, where tt =' 
play (0 [a f^] [/3 1-> fy] , sq) . Thus, it is impossible to satisfy ' 
both the goals XXp and X X -ip with the same strategy of ' 
a. ; 

On the contrary, since Sq in G2 is owned by the agent (3, -, 
we may reach both s'^ and s'/ with the same strategy fx of a. -, 
Thus, if fx{^() • s'l) 7^ fT(so • s'/), we reach, at the same time, 
either the pair of states s'2 and S3' or S2 and S3. Formally, there 
are a strategy fx & Strg2(so), with fx{sQ ■ s'^) ^ fj;(so ■ s'/),; 



a pair of states (sp,s^p) e {(s2, S3'), (sj, S3)}, and two 77 T^{{s,i),6) = {T{s,6\\^),b') with i' = Q ijf d{f} = 



Flagged features: A flagged model of a given Cgs S is 
obtained adding a so-called jj-agent to the set of agents and 
flagging every state with two flags. Intuitively, the jj-agent 
takes control of the flag to use in order to establish which 
part of a given formula is checked in the CGS. We start 
giving first the definition of plan and then the concepts of 
flagged model snA flagged formulas. 

Definition C.l (Plans). A track (resp., path) plan in a COS 
Q is a finite (resp., an infinite) sequence of decisions k G 
Dc* (resp., k G Dc"j. TPln = Dc* (resp., PPln = Do"; 
denotes the set of all track (resp., path) plans. Moreover, 
with each non-trivial track p e Trk (resp., path w € Pthj 
it is associated the set TPln(p) = {k € Dc''''""'^ : Vi G [0, 
\k\[ .{p)i+i = T((p)i, («),)} C TPln (resp., PPln(7r) ^ 
{k G Dc" : Vi e N. (7r)i+i = T((7r)i, (k).)} C PPlnj of 
track (resp., path) plans that are consistent with p (resp., w). 

Definition C.2 (Flagged model). Let G = (AP, Ag, Ac, St, 
A, r, So) be a CGS with |Ac| > 2. Let tt ^ Ag and G Ac. 
Then, the flagged CGS is defined as follows: 

Gi = (AP,AgU{fl},Ac,St X {0,1},Aj,tj,(so,0)) 

where A|j(s,t) = A(s), for all s G St and l e {0, 1}, and 



strategies fyp,fy^p G Str52(so) such that (7rp)2 = Sp and 
(7r^p)2 = s^p, where TTp = play(0[a 1-^ fx][f3 ^ fyp],so)[ 
and TT-.p = play(0[a M- fx][l3 fy^p],so). Hence, we can^ 
satisfy both the goals XXp and X X -ip with the same ^ 
strategy of a. 

[Item (2)]. To prove the statement we have to show that 
there exists a satisfiable sentence that does not have a Dt 
model. Consider the Sl sentence = ip\ f\ pi2, where 
(^1 is the negation of the sentence ip used in Item (1) 
and ^2 ^ [[x]][[y]](a,x)(/3,y)X((((x))((y))(a,x)(/3,y)Xp) A 
(((x))((y))(a,x)(/3,y)X ^p)). Moreover, note that the sen- 
tence Lp2 is equivalent to the Ctl formula AX ((EX p) A 
(EX^p)). Then, consider the CGS G = (AP, Ag, Ac, St, 
A,r,so) witii AP = {p}, Ag - {a,/3}, Ac = {0,1}, 
St = {so,si}, A(so) = and A(si) = {p}, andT(so,0*) = 
r(si, *0) = So, and t(so, 1*) = r(si, *1) = s\. 

It is easy to see that G satisfies ip. At this point, let T 
be a Dt model of </?2- Then, such a tree has necessarily 
at least two actions and, consequently, two different suc- 
cessors t\^t2 G Dc* of the root e, where t\^t2 G Dc^^ 
and t\(oi) = t2{a). Moreover, there are two decisions 
di,d2 G Dc such that p G X{ti ■ di) and p ^ \{t2 • ^2)-^'^ 
Now, let fx,fyp,fy^p G Str(e) be three strategies for which 
the following holds: f^{e) = ti{a), fy^{e) = <i(/3), fy^p(e) = 
i2(/3), Uh) = di(a), fy,(ti) = di(/3), fx(i2) = d2(a),ioo 
and fy^p(t2) = d2(/3)- Then, it is immediate to see thati 01 
r,0[x ^ fj[yp ^ fyp][y^p ^ fy.p],e h ((a,x)(;3,yp>02 
(XXp)) A ((a,x)(^,y^p)(XX-.p)). Thus, we obtain thatios 
T ^ . Hence, <^ does not have a Dt model. km 



Since G and G^ have a different set of agents, an agent- 
closed formula ip w.r.t. Agg is clearly not agent-closed w.r.t. 
Agg.^ . For this reason, we introduce the concept of flagged 

81 formulas, that represent, in some sense, the agent-closure of 

82 formulas. 

83 Definition C.3 (Flagged formulas). Let tp G Sl[1g]. The 

84 universal flagged formula of ip, in symbol ipA^, is obtained 

85 by replacing every principal subsentence <f) G psnt(<y9) with 

86 the formula (pA^ = ll2;|t]](tt,a;|t)</>- The existential fiagged 

87 formula of ^p, in symbol ipEp is obtained by replacing 

88 every principal subsentence <p G psnt(<p) with the formula 

89 (/)£;ti = ((a;^))(tJ,a:;t^)'^• 



Substantially, these definitions help us to check satisfiabil- 
ity of principal subsentences in a separate way. The special 
agent jj takes control, over the flagged model, of which 
branch to walk on the satisfiability of some (p G psnt(yj). 
Obviously, there is a strict connection between satisfiability 
of flagged formulas over G^ and ip over G. Indeed, the 
following lemma holds. 

Lenuna C.l (Flagged model satisfiabihty). Let ip G Sl[1g] 
and let (pAi and ifsi the flagged formulas. Moreover, let G 
be a Cgs and Gi his relative flagged CGS. Then, for all 
s G St, it holds that: 

1) if G,9,s \= ip then t/|j,0(s,/,) |= pAp for all t G 

{0,1}; 

2) if, for all t G {0, 1} it holds that G(,, 0, (s, t) \= ipE(,, 
then G,^,s \= ip. 



Proof: On the first case, let 9 € DMstrg (p), we 54 
consider Oa^ <E DMstrg^ ([[a^jlp) ^^^^ that if x ^ then 55 
^Aij,{x)ix) = Oix){x), otherwise 6Ia|j(x)(x) = xix^i)- On 56 
the second case, let ^ej e DMstrgj (((a;|j))p), we considers? 
€ DMstrgCp) such that e{x){x)) = OEi{x)ix)) (note that 
dom(0(x)) is strictly included in dom(0£;tt(x)))- Now, given 59 
a binding b and its relative function 4, consider bj = (ft, X|))b eo 
and its relative function 4,tJ- show that in both cases 
considered above there is some useful relation between 52 
TTb = play(6'(x) o Chs) and 7r|,,j, = play(6ltt(x) ° Cl>,t), (s,''))-63 
Indeed, let k\, the plan such that, for all i G N, we have that 64 
(7r|,)i+i = T((7ri,)j, and let the plan such that,65 

for all i e N, we have that (7rt_j)i+i = T((7rtj)i, (K;b,|t)i).66 
By the definition of play, for each i E N and a G gj 
Ag, we have that («-,[,),(») = (6'(x) o Cb)(a)((7rb)j) and^g 
(«;|,,t))j(a) = (6'j(x) °(b.t:)(a)((7i"b,|))j). Clearly, for all i G N.gg 
we have that = (('^•b.j)*) rAg- Due to these facts, we 

can prove by induction that for each z € N there exists 
L € {0,1} such that (tt^ j)^ = ((7r^)i,i). The base case is 
trivial and we omit it here. As inductive case, suppose that 
(■'rb,|j)i = {{T^\))i, i). for some i. Then, by definition we have 
that (7rb,|t)i+i = Tj((7rb,j)i, (Kb.ti)^)- Moreover, by definition 
of rj, we have that (7rb,j)i+i = (^((Ti'b)^, ((Kb.j)j)rAg), t')v6 
for some l' E {0,1}. Since (Kb)^ = ((Kb,s)j) rAg, we 
have that (7rb,j)i+i = (r((7r|,)i, t') = ((7rb)i+i, tO^s 

which is the assert. It follows, by definition of Aj, that 
X{{TT\,)i) = Aj((7r^,j)i), for each z G N. So, every sentence 
satisfied on tt^ is satisfied also on tt^ j. Now we proceed to 
prove Items 1 and 2, separately. Item 1. First, consider the 
case that (f) is of the form p-ijj, where p is a quantification 
prefix and V is a boolean composition of goals. Since ^ 
G,^,-'' 1= 0, there exists 6 G DMstrs(p) such that we 
have £/,f?(x),,s ^ 0, for all assignment x '= Asgg(s). 
Now, consider j = [[a;[t]](tl, a;[t)(/), which is equivalent to 
[[.Tj]]p(tl,a;tt)V'. Then, consider ^^jj G DMsn-g^ ([[^^sIp) such"' 
that 6*^11 (x) (a;) = d{x){x), H x ^ x^, and ^(xjla;) = x(a;tt)/[ 
otherwise. Clearly, is build starting from 9 as described 
above. Then, from the fact that 0, s |= 0, it follows that 90 
0, (s, i) ^ (/)At). Now, if we have a formula if embedding 9, 
some proper principal subsentence, then by the induction 92 
hypothesis every (}> G psnt{ip) is satisfied by Q if and only 93 
if </)A,t) is satisfied by tjj. By working on the structure of the 94 
formula it follows that the result holds for and i^^j too, 95 
so the proof for this Item is done. 96 

97 

Item 2. First, consider the case of is of the form 
p^, where p is a quantification prefix and V is a boolean ga 
composition of goals. Let ^)j,0, (s, t) |= (j)E,i- Note that 99 

- ((■^d))(---''^'|:)p'0 is equivalent to {{x^))p{^,x{)tj), soioo 
there exists 9e^ G DMstrg^ {^x^))p) such that, for all assigunoi 
ment x e Asgg^{{{x{))p), we have that G^, 9Ei{x), (s, t) hi"^ 
(jj, Then, consider 9 G DMstrg given by 9{x){x)) =103 

0jj(x)(a;)). Clearly, 6* is build starting from 9Ei as describedio4 
above. Then, from ^j, 6'£;ti(x)) (*) N (ttj^^j)^ it foUowsios 



that G,^,s ^ ^. Now, if we have a formula (f embedding 
some proper principal subsentence, then by the induction 
hypothesis every (j) G psnt((^) is satisfied by G if and only 
if (j>A,i is satisfied by G^- By working on the structure of the 
formula it follows that the result holds for and ipE^ too, 
so the proof for this Item is done. ■ 

Proof of Theorem VI. 3: From now on, by using Item 2 
of Theorem VI. 1, we can assume to work exclusively 
on CGTs. Let = {s G Str : T, 0,s |= 0} and 
= X (0, 1}. By Item 1 of Lemma C.l, we have that 

7i,0,t h <i^Ai, for all t G T^. Moreover, for all t G T^, 
consider a strategy fj* G StTj-^{t) given by fjj'(/9) = cj iff 
p = t. Moreover, for all (f) G psnt((/?), consider the function 
: Trkr.(£) ^ 2(S*^« ^^^rkr,) ^^^^ ^^p) ^ {(p„p') 
: * G [0, Ap' G Trkr,(0[tt ^ fj^-j.ft) A Ist(p) = Ist(p')}. 
Note that {\st{p),\st{p)) G A^(p). Indeed: fi) lst(/9) = p\p\; 

(ii) Ist(p)) G Trkr,(0[tt ^ fi'*^"^], Ist(p)); and (Hi) Ist(p) = 
lst(lst(p)). Observe that if {pi,p') G A0(p) then p' = p>i. 
Hence, except for (Ist(p), Ist(p)), there exists at most one 
pair in /^cpip). Indeed, by contradiction let {pi,p>i) and 
{pj,p>j) both in A^(p) with i % j and j ^ \p\. Then, 
by the definition of compatible tracks Trk7-j(0[tt — > f^],pi), 
there exists a plan n G Pln(p>j) such that for all h G [0, 
IpI - i[ we have Kh{^) = f^{{p>i)<h)- Then, by the 
definition of f^', HhiVi 7^ cj. So, by the definition of plan 
and rj, we have that pj+i = (s, 1). On the other hand, since 
{Pj,p>j) G A^{p), then there exists a plan k' G Pln(p>j) 
such that (K')o(tl) = fj'"" (p>i) = cj. Which imphes, by the 
definition of plan and rj, we have that pj+i — (s', 0), which 
is in contradiction with the fact that the second coordinate 
of pj+i is 1, as shown above. 

This reasoning allows us to build the functions head^ 
and body^ for the disjoint satisfiability of (f) over Tj on 
the set T^. Indeed, the unique element {pi,p') G ^^{p) \ 
{(Ist(p), lst(/C)))} can be used to define opportunely the ele- 
mentary dependence map used for such disjoint satisfiability. 

Theorem VI.3 (Sl[1g] Bounded Tree-Model Property). 
Let (p be an Sl[1g] satisfiable sentence and P = 
{((p, b), (V-, i)) e LSig(Ag, Sl X {0, 1}) : pbV- e psnt((p) A 
i G {0,1}} the set of all labeled signatures on Ag w.r.t. 
Sl X {0,1} for ip. Then, there exists a b-bounded Dt T, 
with 6 = |P| • |V(P)| • 2l°(P)l, such that T \= ip. Moreover, 
for all (f) G psnt(</?), it holds that T satisfies <p disjointly 
over the set {s G St : T, 0, s |= 4>\. 

Proof: Since is satisfiable, then, by Item 2 of The- 
orem VI. 1, we have that there exists a Dt T, such that 
T \^ ip- We now prove that there exists a bounded Dt 
V = (AP,Ag,Acr',Str'],Ar',rr',£) with Acr' = [0, 
n[ and n = |P| • |V(P)| • 2lc(P)l. Since V is a Dt, we 
have to define only the labeling function A7-'. To do this, 
we need two auxiliary functions h : Str x DC7-' Dcr 
and g : Str' Str that lift correctly the labeling function 



At- to Function g is defined recursively as follows: (i) 
g(e) ^ e, (ii) g(t'-d') ^ g(i')-h(g(i'),d')- Then, for all t' e 
Str', we define Ar' (f) = Xr{g{t')). It remains to define the 
function h. By Item 1 of Lemma C.l, we have that 7j \= (fiAi 
and consequently that 7j \= ifisp Moreover, applying the 
reasoning explained above, 7j satisfies disjointly </> over S^, 
for all (j) e psnt((^). Then, for all (t> G psnt((^), we have that 
there exist a function head^ : — > DMac7-(p) ^ func- 
tion body^ : Trk7-(£) — > DMact(p) that allow T to satisfy 
(j) ia a disjoint way over S^. Now, by Theorem V.2, there 
exists a signature dependence w e LSigDep^c^, (P) such 
that, for all P' C P, we have that Wfp/ e LSigDcp^c^, (P) 
is non-intersecting, if P is non-intersecting. Moreover, by 
Corollary V. 1, for aU P' CP, we have that Wfp' e 
LSigDepAc^, (P) is intersecting, if P is intersecting. At this 
point, consider the function D : DC7-/ 2^ that, for all ' 
d' e Dcr', is given by D(d') ^ {((p, b), (Va «)) = ct e P, 



Wit){a) 



, otherwise 



: 3e' e Acr'"^''^^.cl' = w(cr)(e') o (}. Note that, for all 
d' € Dct"', we have that D(d) C P is intersecting. Now, 
consider the functions W : Stj-^ — > LSigDep^p^(P) such 
that, for all t € StT^ and a = ((p, b), G P, is such 

that 

head^{t) 
body^ip') 

where = pb^ and p' G Trkr, (e) is the unique track such 
that Ist(p') = t. Moreover, consider the function T : Str, x 
Dcr 2^ such that, for all t G Str, and d G Dcr, it 
is given by T(i,d) = {a = ((p, b), (V-, i)) G P : 3e G 
Acr'^^'^.d = W(t)(e) o ^}. It is easy to see that, for all 
d' G Dcr' and t G Str^, there exists d G Dcr such that 
D(d') C T{t, d). By Corollary V.l, for all t G Str,, we have 
that W(t) |-D(d') is intersecting. So, by Definition V.5, for all 
t G Str, and d' G Dcr 



there exists d G Acr such that f 



d G n^=(j3,c),(V,i)eD(d'){zo b : z G rng(W(t)(cr))}, which 
implies T{t,d) 3 D(d'). Finally, by applying the previous 
reasoning we obtain the function h such that, for all (t.d') G 
Str xDcr', it associates a decision h(f, d') = d G Dcr- The 
proof that T' \= (p proceeds naturally by induction and it is 
omitted here. 



Appendix D. ^ 

Proofs of Section VII ^ 

9 

In this appendix, we give the proofs of Lemmas VII. 1 ^ 
and VII. 2 of Sl[1g] goal and sentence automaton and Theo- 
rems VII. 1 and VII. 2 of Sl[1g] automaton and satisfiability. 

Alternating tree automata: Nondeterministic tree au-^ 
tomata are a generalization to infinite trees of the clas- 
sical nondeterministic word automata on infinite words. 

9 

Alternating tree automata are a further generalization of 

10 

nondeterministic tree automata [17]. Intuitively, on visiting a 
node of the input tree, while the latter sends exactly one copy 
of itself to each of the successors of the node, the formerio 



can send several own copies to the same successor. Here we 
use, in particular, alternating parity tree automata, which 
are alternating tree automata along with a parity acceptance 
condition (see [9], for a survey). 

We now give the formal definition of alternating tree 
automata. 

Definition D.l (Alternating Tree Automata). An alternating 
tree automaton (Ata, for short) is a tuple A= (S, A, Q, 5, 

(7o,H), where S, A, and Q are, respectively, non-empty finite 
sets of input symbols, directions, and states, go G Q is an 
initial state, H is an acceptance condition to be defined later, 
and (5 : Q X S — > B+(A X Q) is an alternating transition 
function that maps each pair of states and input symbols to 
a positive Boolean combination on the set of propositions 
of the form [d, g) G A x Q, a.k.a. moves. 

On one side, a nondeterministic tree automaton (Nta, for 
short) is a special case of Ata in which each conjunction in 
the transition function 5 has exactly one move (rf, q) asso- 
ciated with each direction d. This means that, for all states 
g G Q and symbols cr G S, we have that 6{q, a) is equivalent 
to a Boolean formula of the form Y- AdgA(^' Qi,<i)- the 
other side, a universal tree automaton (Uta, for short) is a 
special case of Ata in which all the Boolean combinations 
that appear in 6 are conjunctions of moves. Thus, we have 
that 5{q,a) = /\^{di,qi), for all states g G Q and symbols 
0- G S. 

The semantics of the AtAs is given through the following 
concept of run. 

Definition D.l (Ata Run). A run of an Ata A = (S, A, Q, 

6, qo, H) on a Tt-labeled A-tree T = (T, v) is a (A x Q)-/ree 
R such that, for all nodes a; G R, where x = niLiC*^*' 
and y = W^^i di with n G [0, it holds that (i) y G T and 
(u), there is a set of moves S C A x Q with S \= S{qn, v(2/)) 
such that X ■ {d, q) G R, for all {d, q) G S. 

In the following, we consider Atas along with the parity 
acceptance condition (APT, for short) H = (Fi, . . . , Ffe) G 
(2Q)+ with Fi C . . . C Ffc = Q (see [12], for more). 
The number k of sets in the tuple H is called the index of 
the automaton. We also consider Atas with the co-Buchi 
acceptance condition (ACT, for short) that is the special 
parity condition with index 2. 

Let R be a run of an Ata ^ on a tree T and w one 
of its branches. Then, by inf(M;) = {g G Q : |{i G N : 
3d G A..{w)i = {d,q)}\ = oj} we denote the set of states 
that occur infinitely often as the second component of the 
letters along the branch w. Moreover, we say that w satisfies 
the parity acceptance condition H = (Fi, . . . , Ffc) if the least 
index i G [1, fc] for which inf(w) n F^ 7^ is even. 

Finally, we can define the concept of language accepted 
by an Ata. 

Definition D.3 (Ata Acceptance). An Ata A= (S, A, Q, 



5, qo, H) accepts a Yi-labeled A-tree T iff is there exists a 52 
run Ti of A on T such that all its infinite branches satisfy 53 
the acceptance condition 54 

By L(^) we denote the language accepted by the Ata A, 
i.e., the set of trees T accepted by A. Moreover, A is said ^ 
to be empty if L(^) = 0. The emptiness problem for A is 
to decide whether 'L{A)=%. ^ 
Proofs of theorems: We are finally able to show the =9 
proofs of the above mentioned results. eo 

Lemma VII.l (Sl[1g] Goal Automaton). Let bip an Sl[1g] 
goal without principal subsentences and Ac a finite set of ac- 
tions. Then, there exists an UCT U^^ = (ValAc(free(b0)) x 

2^, Do, Q^^, 5obi/" ^bv) ^^^^ f^f' ^ ^^^^ 55 

Acr = Ac, states t G Str, and assignments x ^ ^ 
Asg.7-(free(bV'),i), it holds that T-X.t |= \>i{) iff T' & 
L{14^), where T' is the assignment-labeling encoding for ^ 
X on T. 

Proof: A first step in the construction of the UCT 70 
U^^, is to consider the Ucw = (2^, Q^,, (5^,, Qov;, 
H^) obtained by duaUzing the Nbw resulting from the 72 
application of the classic Vardi-Wolper construction to the 73 
Ltl formula -rij: [23]. Observe that L(W^) = L('(/i), i.e., this 74 
automaton recognizes all infinite words on the alphabet 2^ 75 
that satisfy the Ltl formula V'- Then, define the components 76 
ofU^^ = (ValAc(free(bV')) x 2^ ,'Dc,Qh,Sh,Qoh,^h)''" 
as follows: 75 

• Qbv - {Sobi/'} U Qv<, with Qobi/' ^ Qv; 

• Si,^{qo^,^,{\/,a)) = Ag^Q Si,^iq,{\/,a)), for all«° 

(v,a) € ValAc(free(bV')) x2AP; 
. (v,a)) = Ag'e5^(q,<7)(v ° Cb,«')' for all q€Q^'' 

and (v, a) e ValAc(free(bV')) x 2^^; 

Intuitively, the UCT simply runs the UCW on the ^= 
branch of the encoding individuated by the assignment in ^ 
input. Thus, it is easy to see that, for all states t G St^ and 
assignments x € Asgj-{free{\>'4>),t), it holds that T,Xjt \= 
bip iff T' e L{iU^), where T' is the assigrraient-labeUng ss 
encoding for x on T. ■ 90 

Lemma VII.2 (Sl[1g] Sentence Automaton). Let p\>ip 
be an Sl[1g] principal sentence without principal subsen- 
tences and Ac a finite set of actions. Then, there exists 

an UCT U^^^ = (DMac(p) x 2^ ,Dc,CIpH^^pH'1opH-'11 
'^p\>ii) such that, for all Dts T with Acf = Ac, states 
t e Str, <^nd elementary dependence maps over strategies 
e EDMsii.^(j)(p), it holds that T,9{x),t He ^ip, for^^ 
all X G Asgrilplt)' Wr G L(WA^), where V is the'" 
elementary dependence-labeling encoding for 6 on T. 99 

Proof: By Lemma VII.l of Sl[1g] goal automaton,'"" 

there is an UCT U^^ = (ValAc(free(bV^)) x 2^, Dc, Q^v-,'"' 
S'obV" ^bv) such that, for all Dts T with Acr = Ac,io2 
states t G Str, and assigrmients x G Asgr(free(bV'), t), itios 



holds that T,x,t \= H iff T' G HU^^), where T is the 
assignment-labeling encoding for % on T. 
Now, transform into the 



new 



UCT 



- (DMac(p) X 2^,Dc,Q^b^,^^b^,gopbV'^pb^>. 



with Q 



pbi/i 



bV" 



which is used to handle the quantification prefix p 
atomically, where the transition function is defined as 
follows: (5pb^(g, (6',ct)) ^ AveVaiAc([W) '^^'^(9' (^M' '^))' 
for all q € Qg,\>^ and {0,a) € DMac(p) x 2^. Intuitively, 
^pbv- reads an action dependence map 9 on each node of 
the input tree T' labeled with a set of atomic propositions 
(J and simulates the execution of the transition function 
4^(9, (v, a)) of for each possible valuation v = ^(v') 
on free(\>tp) obtained from by a universal valuation 
v' G ValAc([[pE)- It is worth observing that we cannot 
move the component set DMac(p) from the input alphabet 
to the states of 1^^^^ by making a related guessing of 
the dependence map 9 in the transition function, since 
we have to ensure that all states in a given node of 
the tree T', i.e., in each track of the original model T, 
make the same choice for 9. 

Finally, it remains to prove that, for all states t G 
Str and elementary dependence maps over strategies 9 G 
EDMstrr(t)(p)' it holds that T,9{x),t \=e for all 
X G Asgr([[p]],t), iff r G L(^^Ac^), where T is the 
elementary dependence-labeling encoding for on T. 

[Only if]. Suppose that T,9{x),t |=e ^4', for all x G 
Asgr([[p]],i)- Since tp does not contain principal subsen- 
tences, we have that T, 9{x), t \= \>tp. So, due to the property 
of it follows that there exists an assignment-labeling 
encoding 7^ G L{U^), which implies the existence of a 
(Dc X Q|,^)-tree R;^ that is an accepting run for on 7^. 

At this point, let R = U^eAs^ ([[p]] i) the union of all 

runs. Then, due to the particular definition of the transition 
function of W^^^, it is not hard to see that R is an accepting 



run for U^^^ on V. Hence, V G L(U^ 



p\>'lp ' 



[If]. Suppose that V G \j{U^^^). Then, there exists a 
(Dc X Qpt,^)-tree R that is an accepting run for U^^,^ on 
T'. Now, for each x G Asg^([[p]], i), let R^ be the run 
for on the assignment-state encoding 7^ for 0{x) on 
T. Due to the particular definition of the transition function 
of U^^^, it is not hard to see that R^ C R. Thus, since 
R is accepting, we have that R^ is accepting as well. So, 
7^ G ^{U^^). At this point, due to the property of U^^, 
it follows that T, 6'(x),i |= bV^. Since 1/' does not contain 
principal subsentences, we have that T,9{x),t |=e b^, for 
allxGAsg^([[p]],i). ■ 

Theorem VII.l (Sl[1g] Automaton). Let ip be an Sl[1g] 

sentence. Then, there exists an UCT such that y> is 
satisfiable iff Ij{U,^) 7^ 0. 

Proof: By Theorem VI. 3 of Sl[1g] bounded tree- 
model property, if an Sl[1g] sentence ip is satisfiable, it 



is satisfiable in a disjoint way on a 6-bounded Dt with 54 
6 ^ |P| • |V(P)| • 2lc(P)l, where P ^ {((p, b), (V', i)) e 55 
LSig(Ag, Sl X {0, 1}) : pb^- & psnt((^) A i e {0, 1}} is the 
set of all labeled signatures on Ag w.r.t. Sl x {0, 1}. Thus,^^ 
we can build an automaton that accepts only 6-bounded tree 
encodings. To do this, in the following, we assume Ac = [0, 

60 

Consider each principal subsentence (f) G psnt((^) of ip 
as a sentence with atomic propositions in AP U psnt((/?) 
having no inner principal subsentence. This means that these 
subsentences are considered as fresh atomic propositions. 
Now, let ^/Ac A (dMac(p) X 2^upsnt(^)^ q_^^ ^ 
H^) be the UCTs built in Lemma VII.2. Moreover, set 
M ^ {m G psnt(y.) ^ UpeQnt(v),vcvar DMac(p) -l 
\t(j) = pbtp G psnt((y5) . m(0) G DMacIp)}- Then, we define ^ 
the components of the UCT = {M x M x 2APupsnt(¥.) ^ ^ 
Dc, Q, S, <7o, as follows: 

• Q = {90, Qc} U U0Gpsnt(v)-L<^} ^ Q-/-; '1 

• '5('?o, (m/i, m6,cr)) = (5((7c,(m,i,mf,,CT)), if cr ^ (/?,72 
and 6 {qq, {mil, mi,, a)) — otherwise, where (p is 73 
considered here as a Boolean formula on APUpsnt((^); 74 

. (m,„mfa,a)) = AdeDc(d,9c) A A^e^npsnt^ 

(^.slgo?,, (mft((^), a))[{d, g)/(d, (0, <?))]; 76 

• K{<P,Q)A'^h,mb,a)) = 5^{q,{mb{(l)),a))[{(i,q')/ 77 
(d,(0,g'))]; 

• ^ - U^epsntM{'^} ^ ^-A- 

Intuitively, checks whether there are principal subsen-"" 
tences 4> of (p contained into the labeling, for all nodes 
of the input tree, by means of the checking state Qc. In 82 
the affirmative case, it runs the related automata li^^ by 83 
supplying them, as dependence maps on actions, the heading 34 
part mh, when it starts, and the body part mb, otherwise. In ss 
this way, it checks that the disjoint satisfiability is verified, gg 

We now prove that the above construction is correct. 37 

[Only if]. Suppose that ip is satisfiable. Then, by Theo-ss 
rem VI. 3 there exists a 6-bounded Dt T such that T \= p-sci 
In particular, w.l.o.g., assume that Acr = Ac. Moreover, for 90 
all (j) = p\>il} e psnt((/?), it holds that T satisfies 4> disjointly 91 
over the set S,j = {t G StT- : T.^.t |= (f\. This means 92 
that, by Definition VI. 3 of Sl[1g] disjoint satisfiabihty, 93 
there exist two functions head^ : DMac(p) and 

body^ : Trkr(e) DMac(p) such that, for all t G S<i and^" 
X G Asg^([[p]],t), it holds that T,0^,t{x),t N bV', where'' 
the elementary dependence map 6^^t € EDMstrT-(t)(p) is 96 
defined as follows: (i) O^^tit) = head0(t); (ii) 0^^t{p) = 
body^(p' • p), for all p G Trk7-(t) with \p\ > 1, whereas 
p' e Trk7-(e) is the unique track such that p' ■ p € Trk7-(£:).99 

Now, let 7^ be the Dt over APUpsnt(</7) with Ac-j-^ = Acioo 
such that (i) Xr^it) n AP = Xr{t) and (ii) (p G Xr^{t) iffm 
t e S^, for all t e Str^ = Str and G psnt((p). 102 

By Lemma VII.2, we have that 7^' , G 1^(14^"), where 7^' ^103 
is the elementary dependence-labeling encoding for ^^^t onio4 
Tip. Thus, there is a (Dc x Q^j-tree t that is an acceptingios 



runfori/^'= on T^ ^. So, let R'^ ^ be the (DcxQ)-tree defined 
as follows: R^^, ^ {{t ■ t' , {(P,q)) : [f ,q) G R^,*}. 

At this point, let R ^ R,, U U06psnt(^),tes^ %,t be the 
(Dc X Q)-tree, where R^ = {e]\J{{t,qc) : t G Str At 7^ e}, 
and V = (Str, u) one of the (M x M x 2^'~'^^"^^'P^)-\ab&\Qd 
Dc-tree satisfying the following property: for all t G Str and 
(f) G psnt((/?), it holds that u(t) = (m/j, m^, cr), where (i) an 
AP = Xr{i), (ii) (/) G CT iff t G S^, (Hi) mh(4>) = head0(t), if 
t G S^, and (iv) mb(^) = body^(pt) with pt G Trkr(e) the 
unique track such that \st{pt) = t. Moreover, since T \= ^, 
we have that Ar^ (e) |= ip, where, in the last expression, ip 
is considered as a Boolean formula on AP U psnt{p). Then, 
it is easy to prove that R is an accepting run for U^p on T', 
i.e., V G L(Z^^). Hence, L(W^) ^ 0. 

[If]. Suppose that there is an (M x M x 2^'^p="'('^))- 
labeled Dc-tree V = (Dc*,u) such that V G L(W^) 
and let the (Dc x Q)-tree R be the accepting run for 
on T'. Moreover, let T be the Dt over AP U psnt((p) 
with Acr = Ac such that, for all t G Str, it holds that 
u(t) = (m^, rrih, Xj-{t)), for some mh, mj, G M. 

Now, for all 4>= pbip G p5r\t{p), we make the following 
further assumptions: 

. S0 = {t G Str : 3mh,mb G M,ct G 2^upsnt(v) _ 
ii{t) = (m/i, mb, a) Acj) G a}; 

• let R^.t be the (Dc x Q0)-tree such that R^^t — {e} U 
{(<', q):{t- 1', ((j), q)) G R}, for all t G S^; ' 

• let 7^ ( be the elementary dependence-labeling encod- 
ing for^,( G EDMstr^(i)(p) on T, for all i G S^, 
where 6^^t{t) = mh{<P), with u{t) = (m/,, mb^a-) for 
some mb G M and cr G 2^UP'"*('^), and 6'^,t(p) = 
mb((/)), with u(lst(p)) = (m?j, rrib, a) for some m;j G M 
and CT G 2^UP="'(*'), for all p G Trkr(t) with \p\ > 1. 

Since R is an accepting run, it is easy to prove that R^.t 
is an accepting run for U^'^ on 77^. Thus, Tl^ G L{U^''). 



So, by Lemma VII.2, it holds that T,6^^t{x),t \= \)ip, for 
all f G S<j and x G Asgr([[p]], t), which means that S,^ = 
{tGStr : r,0,t h0}- 

Finally, since Ar^(e) |= if, we have that T \= ip, where, 
in the first expression, (p is considered as a Boolean formula 
on AP U psnt(</?). ■ 

Theorem VII.2 (Sl[1g] Satisfiabihty). The satisfiability 
problem for Sl[1g] is 2ExpTime-C0MPLETE. 

Proof: By Theorem VII. 1 of Sl[1g] automaton, to 

verify whether an Sl[1g] sentence p is satisfiable we can 
calculate the emptiness of the Upt U^p. This automaton is ob- 
tained by merging all UCTs U^^, with = pbV' G psnt((/7), 
which in turn are based on the UCTs W^^.^^ that embed the 
Ucws U^.'&y a simple calculation, it is easy to see that Utp 
has 2°(l^l) states. 

Now, by using a well-known nondeterminization proce- 
dure for Apts [18], we obtain an equivalent Npt with 
22°""" states and index 2°(l^l). 



The emptiness problem for such a kind of automaton with 
n states and index h is solvable in time 0(n'').Thus, we get 
that the time complexity of checking whether (p is satisfiable 
is 2^°"*'". Hence, the membership of the satisfiability prob- 
lem for Sl[1g] in 2ExpTlME directly follows. Finally the 
thesis is proved, by getting the relative lower bound from 
the same problem for Ctl* ■ 



